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Abstract 


This is the second volume of a two-volume report that presents a formal specification and 
verification of a property of a quadruplicate^ redundant fault-tolerant microprocessor system 
design. This volume gives a complete listing of the formal specification of the system and the 
correctness theorems that were proved. The system performs the task of attaining interactive 
consistency among the processors using a special instruction on the processors. The design is 
based on an algorithm proposed by Pease, Shostak and Lamport. The microprocessor used 
in the system is called FtCayuga, which was designed by extending another formally verified 
microprocessor MiniCayuga. The property verified ensures that an execution of the special 
instruction by the processors correctly accomplishes interactive consistency, provided certain 
preconditions hold, using a computer-aided hardware design verification tool, Spectool, and 
the theorem prover, Clio, both of which were developed at ORA. A major contribution of the 
work is the demonstration of a significant fault-tolerant hardware design that is mechanically 
verified by a theorem prover. 
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1 Introduction 


NASA Langley Research Center has recently initiated a research effort to develop a validation 
methodology for life-critical digital (fly-by-wire) flight control systems. Such systems must, 
meet stringent reliability requirements. The systems are expected to have a probability of 
failure as low as 10~ 9 for a 10 hour mission. Hence, as has been well-argued in [6], the 
design and validation methods employed for such systems must meet high standards. The 
designs must use fault-tolerant strategies to enable the continued operation of the system in 
the presence of component failures. The validation methods must ensure that there are no 
design errors in the system. 

The process of formal verification is capable of showing that a system design satisfies a 
specified property for all inputs and initial conditions of the design. Hence it is a promising 
candidate for consideration as a validation technology for flight control systems. Digital 
control systems are implemented using a combination of hardware and software components. 
Hence, a formal verification technology for flight control systems must be applicable to both 
software and hardware designs. This work is concerned with the formal verification ol a 
hardware design. 

This report presents the formal verification of a hardware system for a task that is 
an important component of a fault-tolerant computer architecture for flight control systems. 
The hardware system implements an algorithm for attaining interactive consistency ( byzan - 
tine agreement ) [2] among four microprocessors as a special instruction on the processors. 
The property verified ensures that an execution of the special instruction by the proces- 
sors correctly accomplishes interactive consistency, provided certain preconditions hold. An 
assumption is made that the processors execute synchronously. For verification, we used 
a computer-aided hardware design verification tool, Spectool [3], and the theorem prover, 
Clio [1], both of which were developed at ORA. The microprocessor used in the system is 
called FtCayuga, which we designed by extending the the formally verified microprocessor 
MiniCayuga [4]. 

A major contribution of the work is the demonstration of a significant fault-tolerant 
hardware design that is mechanically verified by a theorem prover. The work illustrates the 
advantage of using hierarchy and abstraction in system design specification to manage the 
complexity of formal verification. The work demonstrates the value of a special-purpose tool 
that tailors the use of a theorem prover to a hardware domain in order to reduce the effort 
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required for formal verification. 

This is the second volume of a two-volume report. The first volume [5] contains an 
overview of the work and an informal description of the specification and the proof of cor- 
rectness. This volume contains the entire specification of the system and the definitions of all 
the correctness theorems and lemmas we proved. This volume is intended as a supplement to 
Volume 1, and, hence, the presentation in this volume assumes that you have read Volume 1. 

The next section describes the general structure of a specification generated by Spec- 
tool, which also appeared as appendix section A in Volume 1. We repeat this description 
here for easy reference. The description is useful in understanding the design specifications 
of the main blocks — IcNet, Voter, and FtCayuga — of our system. The rest of the material 
in this volume is organized as follows. 

1. The Voter Specification section contains the design and abstract specifications of the 
Voter. 

2. The FtCayuga Specification section contains the design and abstract specifications of 
FtCayuga. 

3. The IcNet Specification section contains the design and abstract specifications of IcNet. 

4. The Common Theory section contains definitions of the data types and primitive func- 
tions on the data types that are used in the previous specifications. Some of these types 
are unimplemented abstract types which are specified by axiomatizing the operations 
on them. 

5. The Main Lemmas section contains the definitions of the main theorem and the main 
lemmas with the help of which the main theorem was proved. The bridge theorems 
that connect the two levels of descriptions of IcNet and Voter appear as part of the 
abstraction specifications of the respective components. Since we did not prove the 
bridge theorems for FtCayuga, we have not included them here. 

6. The General Lemmas section contains the set of basic lemmas that were used in proving 
one or more of the lemmas in the Main Lemmas section. 
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2 General Structure of a Specification Generated by 
Spectool 


A design specification generated by Spectool consists of the parts described in the following 
sections. 


2.1 Structural Specification Part 

This part specifies the data path architecture. It defines a set of types to model the data path 
state and a set of functions to specify the connections between the data path components. 
Spectool generates this part in a generic fashion from the following structural information 
about the data path provided by the user: 

1. the names of components and component classes, 

2. the names of the actions defined on components, 

3. the types that model the internal states of components, 

4. the types of the external inputs to the circuit, and 

5. the graphical connections between components. 

To give the reader an idea of this part of a design specification, a fragment of the structural 
specification part of the voter circuit is shown below. 

| | Generic part of the data path state definition 

type SYSTEM.STATE = COMP->LOCAL_STATE 

type INPUT.STREAM = NAT->EXTSTATE 

type CHANGE = «COMP,NAT,LOCAL_STATE» 

type STATE = «SYSTEM_STATE , [CHANGE], INPUT_STREAM» 

1 | A type for every component class. The type defines the names of 
1 | all the components used in the data path that belong to the class . 
majority ::= MAJ1 I MAJ2 I MAJ3 

bytereg ::= PR1 I PR2 I PR3 | R12 | R13 I R23 I R31 I R32 
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bitlatch ::= VS | ST 

I I A labeled union type of all the component class types 
COMP : := Controller | C_majority ! majority | C_mux4 !mux4 
I C.bytereg fbytereg | C_bit latch ! bitlatch 

I | A labeled union type of all local states of components 
LOCAL.STATE S.Controller ! CONTROLSTATE 

I S.majority !majority_localstate 
I S_mux4 !mux4_localstate 
I S^bytereg fbytereg.localstate 
I S^bitlatch !bitlatch_localstate 

ACTION A.majority !majority_ACT 

I A_mux4 !mux4_ACT 
I A_bytereg !bytereg_ACT 
I A_bitlatch !bitlatch_ACT 

I I The following specifies the input connections to the component MAJ2 
majorityinput s (C_majority MAJ2) = 

<<getbyteregoutO (current s (C.bytereg R32)), 
getbyteregoutO (current s (C^bytereg R12)), 
getbyteregoutO (current s (C_bytereg PR2))>> 


The type STATE defines the data path state as a tuple: «SYSTEM_STATE, [CHANGE] , 
INPUT_STREAM>>. SYSTEM.STATE maps every component (an element of type COMP) in the 
data path to its LOCAL-STATE. [CHANGE] is the list of pending actions on the data path 
components. This list is maintained to simulate the effect of delays on actions. The list 
contains an update record for each of the actions that has been triggered by the controller 
on components, but is yet to be completed. The first two fields of STATE define a snapshot 
in time of the data path state. The state of a component is given by SYSTEM-STATE unless 
an action is pending on the component, in which case the state is bottom. 

The third field of the tuple, INPUT-STREAM, specifies the values of the external inputs 
to the circuit as function of time. INPUT-STREAM is a function type from time (NAT) to 
EXTSTATE, where EXTSTATE is a type that combines all the external inputs into a tuple. 
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The type LOCAL_STATE is a labeled union of the local states of all the components 
of the data path (and the controller). The local state type of a component is a tuple of 
its internal state and (a tuple of) its outputs. The definition of the local state type of a 
component appears as part of the component class specification. 

The set of components in a data path is organized so that every component is an 
instance of a component class. The type COMP groups together the names of all the compo- 
nents in a data path. It is defined as a labeled union of all the component class types, where 
a component class type is an enumerated type of the names of all the components belonging 
to the corresponding class. 

Similarly, the type ACTION groups together the names of the It is defined as a labeled 
union of all the action types of the component classes, where the action type of a component 
class is an enumerated type of the names of all the actions defined for the class. The definition 
of the action type of a component appears as part of the component class specification. 

Connections between data path components are specified by defining, for every com- 
ponent, a function that determines the inputs to the component in a given data path state. 


2.2 Component Classes Specification Part 

Every component in the data path is an instance of a component class. The components 
belonging to the same class share several attributes. This part specifies the shared attributes , 
of a class for every class used in a design. A component class specification defines the type 
that denotes the internal state of a components of the class, the types of the outputs, a 
type denoting the names of the actions on the components, and the effects of the actions 
on the components. For every action, it defines three functions: “state” and “output 
functions return, respectively, the new state and the new outputs of a component after an 
action is performed; and the “delay” function gives the delay associated with the action. For 
illustration, a part of the specification of the majority component class used in the voter 
circuit is given below. 

II The component class majority. 

II Local state of majority: <<internal state type, «output types>>>> 
type ma j or ity.local state = <«<data, B00L» ,«(byte) , (B00L)»» 
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I I Type denoting the actions on the components of the class 
majority_ACT ::= 
select3 ‘majority | 
select2 ‘majority I 
select© .‘majority | 
selectl !majority | 
comp ‘majority 

majoritydelay (select3 c) = #0 
majoritycomp (select3 c) = C.majority c 

majorityout (select3 c) s <<inl,in2,in3>> = «get_byte 3 (dataof s) , bitof s>> 
majoritystate (select3 c) s «inl , in2 , in3» = s 

majoritydelay (select2 c) * #0 
majoritycomp (select2 c) = C.majority c 

majorityout (select2 c) s «inl t in2,in3» = «get_byte 2 (dataof s) , bitof s>> 
majoritystate (select2 c) s «inl , in2, in3» = s 


2.3 Controller Specification Part 

A controller is specified by means of two functions nextstate and scheduler. The nextstate 
Junction gives the next controller state as a function of the current state and controller in- 
puts. The nextstate function is used at the end of each cycle to advance the controller 
state. The function scheduler returns a list of actions as a function of the controller state, 
controller inputs, and the phase. For illustration, a part of the specification of the controller 
for the voter circuit is shown below. 

C0NTR0LSTATE ::= LDP1 | LDP2 | XNG11 | XNG12 | XNG21 | XNG22 | XNG31 
I XNG32 | CMPP | 0UT1 | 0UT2 

nextstate LDP1 in = ('(startedof in))->(LDPl) ; (LDP2) 
nextstate LDP2 in = XNG11 


scheduler XNG11 <<vstart, started>> 0 = (selprvtlbyteO) 
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selprvtlbyteO = [A_bytereg(readO PR1) , A_mux4(choose3 MUX)] 

scheduler XNG12 «vstart, started» 0 = (selprvtlbyte2) 
selprvtlbyte2 = [A_bytereg(read2 PR1) , A_raux4(choose3 MUX)] 

I | Some of the details specific to the voter design 
II There are 4 clock phases per cycle, 
num.phases = 4 

2.4 Composite Behavior Specification Part 

This part defines a set of functions that derive the composite behavior of a design using the 
information expressed in the rest of the specification. This part formalizes in Caliban the 
operational model of the behavior of a finite state controller system. This part is identical 
for every circuit since Spectool generates it in a completely generic fashion. The higher-order 
function definition capability of Caliban is a primary reason why it is possible to express 
this part in a generic fashion. A top level fragment of this part of the specification is shown 
below. 

Execute s = do. phases 0 s 
Output s = generate. output 0 s 

do.phases n s « update_state s , n = num.phases 
do.phases (n+1) (do.phase n s) 

do.phase n <<s,p,in>> « 

advance. input stream (do. actions (current. schedule s2 n) s2) 
where s2 = update. state <<s,p,in>> 

The two main functions defined in this part are Execute and Output. Execute advances 
the state of the system across a single cycle. Output returns the (tuple of) external outputs 
produced by the circuit over the next cycle. Output actually returns a list outputs, one for 
every phase in a cycle. The two functions are defined hierarchically in terms of several other 
functions, some of which are described below. 
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To simulate Hie effect of delays on component actions, the specification maintains a 
list of records of pending updates that have been triggered by the controller, but are yet to 
take effect on the circuit state. The update record for an action contains the component on 
which the update is pending, a time-out counter that is initialized to the delay of the action 
and decremented after every phase, and the result of the update. The function update.state 
causes the result of all the update records on the list that have timed out to take effect on 
the circuit state. The function also decrements the time-out counter of the update records 
that have not yet timed-out by one unit of time. The purposes of the rest of the functions 
should be apparent from the names of the functions. They are summarized below. 

• The function do_phases updates the state for all the phases in a cycle. 

• The function do_phase updates the state for a single phase. It causes (using update_state) 
the pending updates that have timed out to take effect; gets the current_schedule 
from the controller, makes new update records (using do_actions) for all the actions 

in the schedule, and then advances the input stream by a time unit. 


3 Voter Specification 

3.1 Abstract Specification 


FROM CommonTheorySec IMPORT update.byte, DATUM, Word, data, get.byte, good 
FROM VoterDesignSec IMPORT controllerstate, majority of, majority exists, 

0UT1 , 0UT2 , XNG 1 1 , XNG 12 , XNG2 1 , XNG22 , XNG31 , XNG32 , 
CMPP , LDP 1 , LDP2 , 

Execute, mlist_from, Proper_state, Output, 
CONTROLSTATE, startedof, nextstate 
get_PRl_state, get_PR2_state, get_PR3_state, 
get_R21_state, get_R31_state, 
get_R12_state, get_R32_state, 
get_R13_state, get_R23_state, 
get.MAJl.state, get_MAJ2_state, get_MAJ3_state , 
get.VS.state , 

external. input _prvt 1 , external_input_prvt2, 
ext ernal _ input _prvt3 , external. input _ vin 1 , 
external.input.vin2, external_input_vin3, 
external.input.vstart , from_proc, from.vtrs, 
map 


select Zero (a:x) = a 

select (Succ n) (a:x) = select n x 

take Zero x * [] 

take (Succ n) (a:x) * a : take n x 

n *s*s*s*=*=*s*=*s*=*s*s*s*=*=*s*s*=*3*=*s*s*s*=*s*=* — 

Abstraction of the voterstate: 

VoterABS s = <<controllerstate s, Voter.array s, Voter.maj s, goahead s>> 
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Voter.. array s 1 1 = get _ PR Instate s 

Voter_array s 1 2 = get_PR2_state s 

Voter. array s 1 3 * get_PR3. state s 

Voter. array s 2 1 = get. R21. state s 

Voter. array s 2 2 = get. R12. state s 

Voter. array s 2 3 = get_R13_state s 

Voter.array s 3 1 s get_R31. state s 

Voter.array s 3 2 = get. R32. state s 

Voter.array s 3 3 = get.R23_state s 

Voter.maj s * 

<<get.MAJl. state s, get.MAJ2.state s, get_MAJ3. state s>> 
goahead s = get.VS. state s 

Voter.from.proc s - map from.proc (take #4 (inlist.from s)) 

Voter.from.voters s = map from.vtrs (take #4 (inlist.from s)) 

| | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 

HALFWORD.KIND ::= LO I HI 

VoterStep <<cstate , array ,maj ,go>> from.proc from.voters= 

<<nextstate estate «go,go», newarray, newmaj , newgo>> 
where 

newarray {(estate = LDP1) ft go} = update.rowl LO array from.proc 
newarray {estate = LDP2} = update.rowl HI array from.proc 
newarray {estate = XNGll} = update.diagonal 0 LO array from.voters 

newarray {estate = XNG12} = update.diagonal 0 HI array from.voters 

newarray {estate = XNG21} = update.diagonal 1 LO array from.voters 

newarray {estate = XNG22} = update.diagonal 1 HI array from.voters 

newarray {estate = XNG31} = update.diagonal 2 LO array from.voters 

newarray {estate = XNG32} = update.diagonal 2 HI array from.voters 

newarray = array || otherwise it’s unchanged 

newmaj = (estate = CMPP)->(maj .vector array) ; maj 

newgo = beginof (select (#2) from.proc) , estate = 0UT2 

beginof (select (#2) from.proc) , (estate = LDP1) ft (*go) 
6 ° 

update.rowl LO array in = 

update.array (update.array array rowl 0 (proc.in (select Zero in))) 

rowl 1 (proc.in (select (#2) in)) 

update.rowl HI array in = 

update.array (update.array array rowl 2 (proc.in (select Zero in))) 

rowl 3 (proc.in (select (#2) in)) 

update.diagonal n LO array in = 
update.array 

(update.array array (diagonal (#n)) 0 (cross.in n (select (#1) in))) 

(diagonal (#n)) 1 (cross.in n (select (#3) in)) 
update.diagonal n HI array in = 
update.array 

(update.array array (diagonal (#n)) 2 (cross.in n (select (#1) in))) 

(diagonal (#n)) 3 (cross.in n (select (#3) in)) 

update.array.byte array «i,j» b v i j = update.byte b (array i j) v 

update.array .byte array <<i,j>> b v k 1 = array k 1 

update.array array [] b [] 3 array 
update.array array (a:x) b (c:y) = 

update.array (update.array.byte array a b c) x b y 


9 


iterate Zero f x = x 

iterate (Succ n) f x = iterate n f (f x) 

succ 1=2 
succ 2=3 
succ 3=1 
diagonal n = 

[«2, iterate n succ 2>> ,«3, iterate n succ 3»] 
rowl = [«1 , 1»,«1,2>>,«1 ,3>>] 

cross.in 2 <<vl,v2,v3>> = [v2,vl] 
cross.in 1 <<vl,v2,v3>> = [v3,vl] 
cross.in 0 «vl,v2,v3» = [v3,v2] 

proc.in «x.y,z,go» = [x,y,z] 

beginof <<x,y,z,go>> = go 

compute.majority x y z = <<majority_of x y z, majority.exists x y z>> 
maj .vector array = 

<< compute.majority (array 1 1) (array 2 1) (array 3 1), 
compute.majority (array 1 2) (array 2 2) (array 3 2), 
compute.majority (array 1 3) (array 2 3) (array 3 3)>> 

n **************************************************************,(<,,,*,,,,,,,,,,,, 

Corespondence between the levels : 

Voter.Step.lemma := 

Proper.state ‘ s‘ 

=> 'VoterABS (Execute s)‘ 

='VoterStep (VoterABS s) (Voter.f rom.proc s) (Voter.from. voters s)‘ 

********** ******** * * * * ******* *** * ****** ******************* ********* * * 
Voter output functions. We define one function for every output 

of the Voter, The function defines the list of output signals 
produced at that port in the "output phases" (0 and 2) of a cycle. 

maj.out n <<cstate, array, maj ,go>> 

= low.half (get.maj.val n maj) , (estate = 0UT1) 
high.half (get.maj.val n maj) , (estate = 0UT2) 
dont.care | | don’t care in other cases 

dont.care = <<bottom,bottom>> 

get.maj.val 1 <<<<bO,bi»,«cO,cl»,<<dO,dl>»> = bO 
get.maj.val 2 <<<<b0,bl»,«c0,cl>>,«d0,dl»» = cO 
get.maj.val 3 «<<bO,bl>>,<<cO,cl>>,<<dO,dl»» = dO 

low.half (DATUM (Word byte3 byte2 bytel byteO)) = <<byte0, bytel>> 
high.half (DATUM (Word byte3 byte2 bytel byteO)) = <<byte2, byte3>> 

crossout <<cstate,array ,maj ,go» 

= xng.out estate array | | depends only on estate and array 

xng.out cs array 

= sendlow 1 array, (cs = XNG11) 
sendhigh 1 array, (cs = XNG12) 
sendlow 2 array, (cs = XNG21) 
sendhigh 2 array, (cs = XNG22) 
sendlow 3 array, (cs = XNG31) 
sendhigh 3 array, (cs = XNG32) 
dont.care || don’t care, otherwise 

sendlow n array = <<get_byte 0 (array 1 n) , get.byte 1 (array 1 n)>> 
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sendhigh n array = <<get_byte 2 (array 1 n) , get_byte 3 (array 1 n)>> 

statusout <<cstate, array , maj , go>> = getstatus ma j , (estate = CMPP) 

dont_care 

getstatus <<<<maj 11 ,maj 12>> , <<maj21 ,maj22>> , <<maj31 ,maj32>>>> 

'■ = <<<<maj 12 ,maj 22, maj 32>> ,<<maj 12,maj22,maj32>>>> 

sndngout <<cstate, array , maj ,go>> 

= «True,True», (estate ■ 0UT1) 

<<True,True>> , (estate * 0UT2) 

<<False,False>> 

freeout <<cstate, array, maj ,go>> 

= «True,True», (estate = LDP1) 

<<False ,False>> 

II Now the tuple <<maj_out 1 s, maj.out 2 s freeout s» will be a tuple 

II of lists of length two. The output function at the lower level 
II gives a list of tuples of lenght two. To compare the two levels, 

II we must "transpose" one of the representations. 

transpose [ <<aO,bO,cO,dO,eO,fO,gO>>, <<al ,bl ,cl ,dl ,el ,f 1 ,gl>>] 

= « «a0 ,al» ,«bO,bl>> , «cO,cl>> ,«d0 ,dl» ,«eO,el» , 

«fO,f l»,«gO,gl>> » 

VoterOut s = «maj_out 1 s,maj_out 2 s,maj_out 3 s, statusout s, 
crossout s, sndngout s, freeout s>> 

VoterOut.Lemma := ‘VoterOut (VoterABS s)‘ 

<= ‘transpose (Output s) , Proper_state s 

I | Now we will write another description of the voter, similar to the one 
| I above, but with the inputs and outputs grouped differently and with 
II the input stream separated from the state. This description is used 
II when the voter is thought of as a component in a larger system. 

type ARRAY = NUM->NUM->data 

type MAJSTATE = <<data,B00L>> 

type MAJROW = «MAJSTATE,MAJST ATE , M A JST ATE> > 

type VOTERSTATE = <<C0NTR0LSTATE, ARRAY, MAJROW, B00L» 

II The input tuple used above has the form <<pvtl ,pvt2,pvt3,vl ,v2, v3 ,b>> , 

I | and each cycle consumes four such tuples from the input stream. 

I I The new description of the voter is as a component having 

II four inputs from_proc = <<go,pvtl,pvt2,pvt3>> , and vl, v2, and v3, 

I I each of which is a four tuple (representing the values on the input wires 
I I in each of the four phases) . 

serial_from_proc <<<<<<goO,gol ,go2 ,go3>> ,<<pvtlO,pvtll ,pvtl2,pvtl3>> , 

<<pvt20 ,pvt21 ,pvt22 ,pvt23>> , 

«pvt30,pvt31 ,pvt32 ,pvt33»» ,vl ,v2,v3» = 

[«pvtlO ,pvt20 ,pvt30 ,go0» , 

<<pvtll ,pvt21 ,pvt31 ,gol» , 

<<pvtl2,pvt22,pvt32,go2», 

<<pvtl2 , pvt 22 ,pvt32 ,go2>>j 

serial from_voter <<pr,<<vlO,vll ,vl2,vl3>>,<<v20,v21 ,v22,v23>>, 

<<v30,v31,v32,v33»>> = 

[<<vl0,v20,v30>> , 

«vll,v21,v31», 

«vl2,v22,v32>>, 

«vl3,v23,v33»] 

|| So, in the new description, the voter has a state s :: VOTERSTATE 
|| and it gets an input in = «from_proc, from.vl, from_v2, from_v3». 


11 


II We can define its new state by using the function VoterStep defined above. 

voterstep s in s VoterStep s (serial. from.proc in) (serial. from, voter in) 

II The voter-component will have four output ports: to.proc, cross 1, cross2, 
II and cross3. The "cross 11 outputs will all be the same: 

cross. out <<cs,array,mj ,b>> * pad (xng.out cs array) 

pad <<a,b>> = <<a,a,b,b>> 

I I The output "to.proc" contains all the other output of the voter: 

to.proc s * drop.cross (VoterOut s) 

drop.cross <<ml, m2, m3, status, cross, sndng,free>> = 

<<ml,m2,m3,status,sndng,free>> 


good. array a * 

(good (a 1 1)) ft (good (a 1 2)) & (good (a 1 3)) 

& (good (a 2 1)) t (good (a 2 2)) ft (good (a 2 3)) 

ft (good (a 3 1)) ft (good (a 3 2)) ft (good (a 3 3)) 

good.maj.row <<a,b,c>> = good.maj a ft (good.maj b) ft (good.maj c) 
good.maj <<a,b>> = good a ft !b 

I I clio: sy good. array ex 
llclio: sy good. maj .row ex 

I I clio: sy good. maj ex 

Proper. voterstate '<<cs, array, mi ,go>> ( := 

' !cs'='True' 

ft 'good. array array '= 'True' 
ft 'good.maj.row mj'='True' 
ft ' ! go' = 'True ' 

j | **************************** ******* 4c ******************************* 

Proper.VoterABS.lemma : == 

Proper.state 's' «> Proper.voterstate 'VoterABS s' 

II Here are some functions we need to specify the next level of abstraction. 

control <<cs , array , maj ,go>> = cs 
arrayof <<cs , array ,maj ,go>> = array 
maj .of <<cs , array , maj ,go>> * maj 
go. of <<cs, array, maj ,go>> = go 

rowlof <<cs, array ,maj ,go» * <<array 1 1, array 1 2, array 1 3>> 

I | Now we’ll define a predicate that says how well defined the inputs 

II to the voter need to be in order to result in a Proper.voterstate* 
good.voter.in cs in = !! (serial. from.voter in) , xng.cycle cs 

! ! (serial.f rom.proc in) 

xng.cycle XNG11 - True 
xng.cycle XNG12 = True 
xng.cycle XNG21 « True 
xng.cycle XNG22 * True 
xng.cycle XNG31 * True 
xng.cycle XNG32 ■ True 
xng.cycle cs = False 

Proper. voterstate. lemma := 

(Proper.voterstate 's' ft 'good.voter.in (control s) in '-'True') 

=> Proper.voterstate 'voterstep s in' 
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N When the voter state is not LDP1 the the nextstate is a function 
of the current state only. We need to export this function: 
next .voter st ate s = nextstate s bottom 


3.2 Design Specification 

FROM CommonTheorySec IMPORT data, byte, good, BYTEO, BYTE1, BYTE2 , BYTE3, 

set_byte, byte_inc, get.byte, update.byte 

good_mstate <<s,b>> c = good s & !b k (b=c) 

I I clio: sy good.mstate extend 


Generated by the spectool 
clio: symbol Execute never 

clio: mod * off 
clio: add * 
clio: mod * on 

* = * = * = * = * = *=:* = * = * = * = * = * = * = * = * = + = * = * — * — * = * = * — * — * — * — * “ 


| | The Controller. 


COMP : : = Controller 1+ 

ACTION ::= Advance. controller j + 

CONTROLSTATE : : type 

LOCAL STATE : := S. Controller ! CONTROLSTATE 1+ 
getcontrolstate (S. Controller x) = x 
is. proper. contr (S. Controller x) “ !x 
I I clio: sy is.proper.contr extend 

controllerst at e s = getcontrolstate (current s Controller) 

effect Advance.controller sc 55 ^ .. , . nn 

S. Controller (nextstate (controllerstate s) (controllermput s )) 

delay Advance.controller « #0 

component Advance.controller = Controller 

controller input s x <<getbitlatchoutO (current s (C.bitlatch VS)), 

getbitlatchoutO (current s (C.bitlatch ST))>> 

| | *=*=*=*=*=*=*=*=* 3 *=*=*=*:=*-*=*=*=*=*=*=*=*= : * ss *=*-* — 

I | The Control states and the next. state function. 

vstartof <<vstart f started>> = vstart 
startedof <<vstart, started>> = started 


CONTROLSTATE LDP1 1+ 
nextstate LDP1 in = ( (startedof 
CONTROLSTATE ::= LDP2 1+ 
nextstate LDP2 in = XNG11 
CONTROLSTATE : := XNG11 1+ 
nextstate XNGli in - XNG12 
CONTROLSTATE ::= XNG12 | + 
nextstate XNG12 in = XNG21 
CONTROLSTATE XNG21 |+ 

nextstate XNG21 in 31 XNG22 
CONTROLSTATE : : = XNG22 I + 
nextstate XNG22 in = XNG31 
CONTROLSTATE XNG31 | + 

nextstate XNG31 in 58 XNG32 
CONTROLSTATE : : = XNG32 I + 
nextstate XNG32 in * CMPP 
CONTROLSTATE CMPP !+ 

nextstate CMPP in = QUT1 


in))->(LDPl) ; (LDP2) 
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CONTROLSTATE ::= OUT1 |+ 
nextstate 0UT1 in = 0UT2 
CONTROLSTATE ::= 0UT2 | + 
nextstate 0UT2 in = LDP1 
CONTROLSTATE ::= | 

| | * = * = * = * = * = *=* = *=*a:* = i(> = * = % = * = * = H, = * = + = 1([ = + _ j)l = += j > _ + _ :)[ _ + 

1 1 The component External . 


type EXTSTATE = «byte, byte, byte, byte, byte, byte, BOOL» 

external. input.prvtl «xO, xl, x2, x3, x4, x5, x6» = xO 

external. input_prvt2 «xO, xl, x2, x3, x4, x5, x6» = xl 

external _ input _prvt3 «xO, xl, x2, x3, x4, x5, x6» = x2 

external.input.vinl «xO, xl, x2, x3, x4, x5, x6» = x3 

external.input.vin2 «xO, xl, x2, x3, x4, x5, x6» = x4 

external. input_vin3 «xO, xl, x2, x3, x4, x5, x6» * x5 

external. input.vstart «xO, xl, x2, x3, x4, x5, x6» * x6 
is.proper.ext «xO, xl, x2, x3, x4, x5, x6» = 

(!xO) ft Oxl) ft C !x2) ft ( !x3) ft (!x4) ft (!x5) ft (!x6) 
llclio: sy is.proper.ext extend 


current .input <<s,p,in>> = in Zero 
nth.input n <<s,p,in>> = in n 
llclio: sy Proper.External extend 
Proper.External ‘<<s,p,in>>‘ := 

(t::NAT) ‘is.proper.ext (in t)‘='True‘ 

j | *=*=*=*=*=*=*=*=*=*=*=*=*=* = * =J|t= * = * =+=#=+= *_ J> _*_ +=:|[ — 


I I There are 4 clock phases per cycle, 
num.phases = 4 

input.phases = [#0, #1, #2, #3] 


output.phase 0 = True 

output.phase 2 = True 

output.phase n = False 

I | * = * = * = * = * = * = * = * = *SS* = * = * = * = jjt=*=j)c = # = * = * = i( t= ^ : = ^ [ = : | [ _^_ + _ 1 | t 

I I The generic Execute function. 


type SYSTEM.STATE = COMP->LOCAL STATE 

type INPUT.STREAM = NAT->EXTSTATE 

type CHANGE = «COMP , NAT , LOCAL_STATE» 

type STATE - «SYSTEM_ STATE, [CHANGE], INPUT_STREAM» 

pending. changes <<s,p,in>> = p 

current <<s,p,in>> c = bottom, pending p c 


pending [] c = False 

pending (<<c,t,v>>:rest) c * True 

pending (<<c2,t,v»:rest) c = pending rest c 

Execute s = do.phases 0 s 


do.phases ns® update.state s , n = num.phases 
do.phases (n+1) (do.phase n s) 

Output s = generate.output 0 s 

generate.output r s {n=num_phases> = [] 
generate.output n s {output.phase n} * 

Out (do.phase n s) : generate.output (n+1) (do.phase n s) 
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generate.output n s = generate.output (n+1) (do.phase n s) 

I I clio: modify.rule "do.phases" count 20000 
llclio: symbol do.phases never 

update. state <<s,p,in>> = do. changes p <<s,[],in>> 
do.phase n <<s,p,in>> = 

advance, inputstream (do. act ions (current. schedule s2 n) s2) 
where s2 » update. state <<s,p,in>> 

current. schedule s n ■ scheduler (controllerstate s) (controllerinput s) n 

do.change <<c,Zero,v>> <<s,p # in>> = <<update s c v, p, in» 
do. change <<c,Succ n,v>> <<s,p > in>> = <<s, <<c,n,v>>:p, in>> 

do. action a s = do.change (change.of a s) s 

advance. inputstream <<s»p,in>> = <<s,p,in*Succ>> 

change.of a s = <<component a, delay a, effect a s (component a)>> 
do. changes [] s = s 

do. changes (<<c,t,v>>:rest) s = do. changes rest (do.change <<c,t,v>> s) 

I | This is a trick to handle conditional actions correctly 
do. actions :: [ACTION] ->STATE->ST ATE 

AXIOM (s) Mo. actions u s' * 's' 

AXIOM (a) (rest) (s) 'do. actions (a:rest) s' - 'do. actions rest (do.action a s) 
update s c v c2 = (c=c2)->v; s c2 

foldl op s □ = s 

foldl op s (a:rest) = foldl op (op a s) rest 
map f [] = [] 

map f (a:x) = (f a) : (map f x) 
list.to Zero = [] 

list. to (Succ n) * list.to n ++ [n] 
iterate f Zero s = s 

iterate f (Succ n) s = iterate f n (f s) 

| | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 

II Component Classes. 

H *=*:=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 

The component class majority. 

majority : : type 

type majority. localstate s <<<<data, B00L>> ,<<(byte) , (B00L)>>>> 

LOCAL. STATE = S.majority Imajority.localstate |+ 

ACTION A.majority Imajority.ACT |+ 
majority. ACT ::= 
select3 [majority I 
select2 [majority I 
selectO [majority I 
selectl [majority j 
comp [majority 

majoritydelay (select3 c) = #0 
majoritycomp (select3 c) = C.majority c 

majorityout (select3 c) s <<inl # in2» in3>> = <<get.byte 3 (dataof s ) , bitof s>> 
majoritystate (select3 c) s <<inl,in2, in3>> = s 

majoritydelay (select2 c) = #0 
majoritycomp (select2 c) = C.majority c 

majorityout (select2 c) s <<inl,in2,i n 3^ = <<get_byte 2 (dataof s) , bitof s>> 
majoritystate (select2 c) s <<ini f in2, in3>> * s 
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majoritydelay (selectO c) = #0 
majoritycomp (selectO c) = C.majority c 

majorityout (selectO c) s <<inl , in2 , in3» = «get.byte 0 (dataof s) , bitof s>> 
majoritystate (selectO c) s <<inl , in2 , in3>> = s 

majoritydelay (selectl c) = #0 
majoritycomp (selectl c) = C.majority c 

majorityout (selectl c) s <<inl,in2,in3>> = <<get_byte 1 (dataof s), bitof s>> 
majoritystate (selectl c) s «inl , in2, in3» = s 


majoritydelay (comp c) « #2 
majoritycomp (comp c) = C.majority c 
majorityout (comp c) s <<inl , in2, in3» = 

«get.byte 0 (majority.of ini in2 in3) , majority.exists ini in2 in3>> 
majoritystate (comp c) s «ini , in2,in3» = 

<<majority.of ini in2 in3, majority. exists ini in2 in3>> 

effect (A.majority a) = majorityeff ect a 
delay (A.majority a) = majoritydelay a 
component (A.majority a) = majoritycomp a 
majorityeff ect a s c = 

S.majority <<majoritystate a (getmajoritystate (current sc)) 

(majority input s c) , 

majorityout a (getmajoritystate (current sc)) 

(majority input s c)>> 

getmajoritystate (S. majority <<x,y>>) = x 
getmajorityoutO (S.majority <<x , <<y0,yl>> >>) = y0 

getmajorityoutl (S.majority <<x, <<y0 ,yl>> >>) = yl 

is.proper.majority (S.majority <<x,<<y0,yl>> >>) = (! y0) & (! yl) 
llclio: sy is.proper.majority extend 

Goodmajority 's' "out" 1 fn d':== 'good.mstate s fnd'='True' 

H * =* = *=*=*=*=*=*=*=*= *=*=*:=*:=*=*:=* =*=*=*= * = * = * = * =+ -*__ 

The component class mux4. 


mux4 : : type 

type mux4_localstate = (byte) 

LOCAL. STATE : := S.mux4 !mux4 localstate 
ACTION ::= A_mux4 !mux4.ACT T+ 
mux4_ACT ::= 
choose4 *mux4 
choose3 !mux4 
choose2 !mux4 
choose 1 !mux4 


1 + 


mux4delay (choose4 c) = #0 

mux4comp (choose4 c) = C_mux4 c 

mux4out (choose4 c) <<inl ,in2,in3,in4>> = in4 

mux4delay (choose3 c) = #0 

mux4comp (choose3 c) = C.mux4 c 

mux4out (choose3 c) <<inl , in2 , in3 , in4>> = in3 

mux4delay (choose2 c) = #0 

mux4comp (choose2 c) = C_mux4 c 

mux4out (choose2 c) <<inl,in2,in3,in4>> = in2 

mux4delay (choosel c) = #0 

mux4comp (choosel c) = C.mux4 c 

mux4out (choosel c) <<inl , in2, in3 , in4>> = ini 

effect (A.mux4 a) = mux4effect a 
delay (A_mux4 a) = mux4delay a 
component (A_mux4 a) = mux4comp a 
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mux4effect a s c = S_mux4 (mux4out a (mux4input sc)) 
getmux4out0 (S.mux4 y) = y 
is_proper_mux4 (S.mux4 y) = ! y 
Hclio: sy is_proper_mux4 extend 

H *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=:*=*=*=*=*-- 

The component class bytereg. 
bytereg : : type 

type bytereg. localstate = <<data, << (data) , (byte) >>>> 
LOCAL. ST ATE S.bytereg fbytereg.localstate |+ 

ACTION A.bytereg ! bytereg. ACT 1+ 
bytereg.ACT 
read3 ! bytereg I 
read2 ! bytereg I 
readl !bytereg | 
readO ! bytereg I 
set3 ! bytereg I 
set2 ! bytereg I 
setl ! bytereg I 
setO ! bytereg 

byteregdelay (read3 c) = #0 
byteregcomp (read3 c) - C.bytereg c 
byteregout (read3 c) s din = <<s, get. byte 3 s>> 
byteregstate (read3 c) s din = s 

byteregdelay (read2 c) = #0 
byteregcomp (read2 c) = C. bytereg c 
byteregout (read2 c) s din = <<s, get. byte 2 s>> 
byteregstate (read2 c) s din = s 

byteregdelay (readl c) = #0 
byteregcomp (readl c) = C.bytereg c 
byteregout (readl c) s din = <<s, get. byte 1 s>> 
byteregstate (readl c) s din = s 

byteregdelay (readO c) = #0 
byteregcomp (readO c) = C.bytereg c 
byteregout (readO c) s din = <<s, get.byte 0 s>> 
byteregstate (readO c) s din » s 

byteregdelay (set3 c) = #1 
byteregcomp (set3 c) = C.bytereg c 

byteregout (set3 c) s din — <<update.byte 3 s din, din>> 

byteregstate (set3 c) s din = update.byte 3 s din 

byteregdelay (set2 c) = #1 
byteregcomp (set2 c) = C.bytereg c 

byteregout (set2 c) s din = <<update.byte 2 s din, din>> 

byteregstate (set2 c) s din = update.byte 2 s din 

byteregdelay (setl c) * #1 
byteregcomp (setl c) = C.bytereg c 

byteregout (setl c) s din = <<update.byte 1 s din, din>> 

byteregstate (setl c) s din = update.byte 1 s din 

byteregdelay (setO c) = #1 
byteregcomp (setO c) = C.bytereg c 

byteregout (setO c) s din = <<update.byte 0 s din, din>> 

byteregstate (setO c) s din = update.byte 0 s din 
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effect (A_bytereg a) = byteregef f ect a 
delay (A_bytereg a) = byteregdelay a 
component (A_bytereg a) = byteregcomp a 
byteregef feet a s c = 

S.bytereg <<byteregstate a (getbyteregstate (current s c) 

(bytereginput s c) , 

byteregout a (getbyteregstate (current sc)) 

(bytereginput s c)>> 

getbyteregstate (S.bytereg <<x,y>>) - x 
getbyteregoutO (S.bytereg <<x,<<yO,yl>> >>) = yO 

getbyteregout 1 (S.bytereg <<x,<<yO,yl>> >>) = yl 

is_proper_bytereg (S.bytereg <<x,<<yO,yl>> >>) = (! yO) ft (! yl) 
llclio: sy is.proper.bytereg extend 

Goodbytereg ‘dataout* ‘byteout f :« ‘dataout <=< s‘ ft ‘good s‘ = ‘True‘ 

H * = * = * = * = * = * = * = *:=* = * = * = * = * = * =*=*=* = * = *=:*=:* = * = * = * = * = *-- 
The component class bitlatch. 

bitlatch : : type 

type bitlatch.localstate - <<B00L , (B00L)>> 

LOCAL_STATE S_bitlatch Ibitlatch localstate | + 

ACTION ::= A,bitlatch !bitlatch_ACT T+ 
bitlatch.ACT : 
setb Ibitlatch 

bitlatchdelay (setb c) = #1 
bitlatchcomp (setb c) * C_bitlatch c 
bitlatchout (setb c) s in = in 
bitlatchstate (setb c) s in = in 

effect (A_bitlatch a) = bitlatchef f ect a 
delay (A_bitlatch a) = bitlatchdelay a 
component (A_bitlatch a) = bitlatchcomp a 
bitlatchef feet a s c = 

S_bitlatch <<bitlatchstate a (getbitlatchstate (current sc)) 

(bitlatchinput s c) , 

bitlatchout a (getbitlatchstate (current sc)) 

(bitlatchinput s c)>> 

getbitlatchstate (S_bitlatch <<x,y>>) = x 
getbitlatchoutO (S w bitlatch <<x,y>>) = y 
is.proper.bitlatch (S_bitlatch <<x f y>>) = ! y 
llclio: sy is_proper_bitlatch extend 
Goodbit latch * s * f out c * s f - c out 4 

ACTION | 

LOCAL.STATE : I 
COMP ::= 

C_majority ! majority | 

C_mux4 !mux4 | 

C.bytereg Ibytereg | 

C_b it latch ! bitlatch 

| | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 

I | Components (other than Controller and External) 

II and their connections. 

majority ::= MAJ1 |+ 

majority input s (C.majority MAJ1) « 

<<getbyteregoutO (current s (C.bytereg R31)), 

getbyteregoutO (current s (C.bytereg R21)), 

getbyteregoutO (current s (C_bytereg PR1))>> » 

majority : MAJ2 1+ 
majorityinput s (C.majority MAJ2) = 
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<<getbyteregoutO (current s (C.bytereg R32)), 

getbyteregoutO (current s (C.bytereg R12)), 

getbyteregoutO (current s (C.bytereg PR2))>> 

majority ::= MAJ3 |+ 
majorityinput s (C.majority MAJ3) = 

<<getbyteregoutO (current s (C.bytereg R23)), 

getbyteregoutO (current s (CLbytereg R13)), 

getbyteregoutO (current s (CLbytereg PR3))>> 

mux4 : := MUX |+ 

mux4 input s (CLmux4 MUX) = 

<<getbyteregoutl (current s (CLbytereg PR3)) , 

getbyteregout 1 (current s (CLbytereg PR2)), 

getbyteregouti (current s (C.bytereg PR1)), bottom>> 
bytereg : : = PR1 I + 

bytereginput s (CLbytereg PR1) 85 ext ernal. input. prvtl (current. input s) 

bytereg PR2 |+ N 

bytereginput s (CLbytereg PR2) « external. input.prvt2 (current. input s) 

bytereg PR3 | + . 

bytereginput s (C.bytereg PR3) = external. input. prvt3 (current .input s) 

bytereg ::= R12 1+ 

bytereginput s (C. bytereg R12) = external.input.vinl (current. input s) 
bytereg ::= R13 |+ 

bytereginput s (C.bytereg R13) - external.input.vinl (current. input s) 
bytereg R21 |+ 

bytereginput s (C.bytereg R21) = external. input_vin2 (current .input s) 

bytereg ::= R23 |+ . 

bytereginput s (C.bytereg R23) = external.input.vin2 (current. input s) 

bytereg : := R31 I + 

bytereginput s (C.bytereg R31) = external. input.vin3 (current. input s) 

bytereg R32 |+ . 

bytereginput s (C.bytereg R32) = external. input. vin3 (current .input s) 

bitlatchinput s [c.bitlatch VS) = external. input. vst art (current. input s) 


bitlatch : 
bitlatchinput 


's (C. bitlatch ST) = getbitlatchoutO (current 


s 


(C.bitlatch VS)) 


majority : := I 
mux4 : : = I 
bytereg ::= I 
bitlatch ::= I 
| | *=*=*=*=*=*= 


| | Output function 

sndng. controller. out s <<vstart, started>> = ready. to. send s 
f ree.controller.out s <<vstart, started>> = voter. free s 
Out s = (<<getmajorityoutO (current s (C.majority MAJ1)), 
getmajorityoutO (current s (C.majority MAJ2)), 
getmajorityoutO (current s (C.majority MAJ3)) f 
<<getmajorityoutl (current s (C.majority MAJ1)), 
getmajorityoutl (current s (C.majority MAJ2)), 
getmajorityout 1 (current s (C.majority MAJ3))>>, 
getmux4out0 (current s (C.mux4 MUX)), 
sndng.controller.out (getcontrolstate 

(current s Controller)) (controllerinput s), 
free controller. out (getcontrolstate (current s Controller)) 

(controllerinput s)>>) 

external. output .ml <<x0, xl, x2, x3, x4, x5, x6» = xO 

external. output .m2 <<x0, xl, x2, x3 f x4, x5, x6>> = xl 

external. output .m3 <<x0, xl, x2, x3, x4, x5, x6>> = x2~ 

ext ernal.output. status «x0, xl, x2, x3, x4, xb, x6>> - x3 

external. output. cross <<x0, xl, x2, x3, x4, x5, x6>> = x4 
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external. output. sndng <<xO, xl, x2, x3, x4, x5, x6>> = x5 
external. output. free <<xO, xl, x2, x3, x4, x5, x6>> = x6 
inlist. from <<s,p,in>> = input.phases.of in 

input. phases. of in = (map in input.phases) ++ 

input.phases.of (in. (#+ #num.phases) ) 

| | * = * = * = *:=* = * = * = * = * = * = * = * = * = * = * = * = * = * = *=:* = * = * = * = * = *=:* 

I I The scheduler. 


scheduler LDP1 <<vstart, started>> 2 = 

((vstart) -> [A_bytereg(setl PR1), A_bytereg(setl PR2) , 

A.bytereg(setl PR3)] ; [A.bitlatch(setb VS)]) 
scheduler LDP2 <<vstart, staxted>> 2 = 

[A.bytereg(set3 PR1), A_bytereg(set3 PR2) , A.bytereg(set3 PR3)] 
scheduler XNGli <<vstart, started>> 2 = (selprvtlbytel) 

scheduler XNG12 <<vstart, started>> 2 = (selprvtlbyte3) 

scheduler XNG21 <<vstart, started>> 2 = (selprvt2bytel) 

scheduler XNG22 <<vstart, started>> 2 = (selprvt2byte3) 

scheduler XNG31 <<vstart, started>> 2 = (selprvt3bytel) 

scheduler XNG32 <<vstart, started>> 2 = (selprvt3byte3) 

scheduler 0UT1 <<vstart, started>> 2 - 

[A.majority(selectl MAJ1), A.majority(select 1 MAJ2) , 

A.majority (select 1 MAJ3)] 
scheduler 0UT2 <<vstart» started>> 2 = 

[A.majority (select3 MAJ1), A.majority (select3 MAJ2) , 

A.majority (select 3 MAJ3) , A.bitlatch(setb VS)] 
scheduler LDP1 <<vstart, started>> 0 = 

( (vstart) -> [A. bytereg(setC) PR1), A_bytereg(setO PR2) , 
A.bytereg(setO PR3)J ;[])++ [A.bitlatch(setb ST)] 
scheduler LDP2 <<vstart, starte d>_> 0 = 

[A.bytereg(set2 PRl) , A.bytereg(set2 PR2) , A_bytereg(set2 PR3)] 
scheduler XNGli <<vstart, started>> 0 = (selprvtlbyteO) 

scheduler XNG12 <<vstart, started>> 0 = (selprvtlbyte2) 

scheduler XNG2I <<vstart, started>> 0 = (selprvt2byte0) 

scheduler XNG22 <<vstart, started>> 0 = (selprvt2byte2) 

scheduler XKG31 <<vstart, started>> 0 = (selprvt3byte0) 

scheduler XNG32 <<vstart, started>> 0 = (selprvt3byte2) 

scheduler 0UT1 <<vstart, started>> 0 = 

[A.majority (selectO MAJ1), A.majority (selectO MAJ2) , 
A.majority(selectO MAJ3)] 
scheduler 0UT2 <<vstart, started>> 0 = 

[A.majority(select2 MAJl) f A_majority(select2 HAJ2) , 
A.majority(select2 MAJ3)] 
scheduler XNGli <<vstart, started>> 3 = 

[A.bytereg(setl R12) , A.bytereg(setl R23)] ++ [Advance. controller] 


scheduler XNGli <<vstart, 
[A.bytereg(setO R12) , 
scheduler XNG12 <<vstart f 
[A.bytereg(set2 R12) , 
scheduler XNGl2 <<vstart, 
[A_bytereg(set3 R12) , 


started>> 1 = 
A.bytereg(setO 
started>> 1 - 
A.bytereg(set2 
started>> 3 = 
A.bytereg(set3 


R23)] 

R23)] 

R23)] ++ [Advance. controller] 


scheduler XNG21 <<vstart, 
[A.bytereg(setO R13) , 
scheduler XNG21 <<vstart, 
[A.bytereg(setl R13) , 


started>> 1 « 

A.bytereg(setO R31)] 
start ed» 3 = 

A_bytereg(setl R31)]++[Advance_controller] 


scheduler XNG22 <<vstart, 
[A_bytereg(set2 R13) , 
scheduler XNG22 <<vstart, 
[A.bytereg(set3 R13) , 


started>> 1 = 

A.bytereg(set2 R31)] 
started>> 3 = 

A.bytereg(set3 R31)] ++ [Advance. controller] 
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scheduler XNG31 <<vstart, started>> 1 = 

[A_bytereg(setO R21) , A_bytereg(setO R32)] 
scheduler XNG31 <<vstart, started>> 3 = 

[A.bytereg(set 1 R21), A_bytereg(setl R32)] ++ [Advance. controller] 


scheduler XNG32 <<vstart, started>> 1 = 

[A.bytereg(set2 R21), A.bytereg(set2 R32)] 
scheduler XNG32 <<vstart, started>> 3 = 

[A_bytereg(set3 R21) , A.bytereg(set3 R32)]++ [Advance. controller] 


selprvtlbyteO 
selprvtlbytel 
selprvtlbyte2 
selprvtlbyte3 
selprvt2byte0 
selprvt2bytel 
selprvt2byte2 
selprvt2byte3 
selprvt3byte0 
selprvt3bytel 
selprvt3byte2 
selprvt3byte3 
scheduler CMPP 


= [A_bytereg(readO PR1), 
= [A.bytereg(readl PR1), 
= [A.bytereg(read2 PR1), 
= [A.bytereg(read3 PR1), 
= [A.bytereg(readO PR2) , 
[A.bytereg(readl PR2) , 
[A.bytereg(read2 PR2) , 
[A.bytereg(read3 PR2) , 
[A_bytereg(readO PR3) , 
[A_bytereg(readl PR3) , 
[A_bytereg(read2 PR3) , 
[A.bytereg(read3 PR3) , 
<<vstart> started>> 0 = 


A_mux4(choose3 MUX)] 
A.mux4(choose3 MUX)] 
A_mux4(choose3 MUX)] 
A_mux4(choose3 MUX)] 
A.mux4(choose2 MUX)] 
A_mux4(choose2 MUX)] 
A.mux4(choose2 MUX)] 
A.mux4(choose2 MUX)] 
A_mux4( choose 1 MUX)] 
A .mux4( choose 1 MUX)] 
A.mux4(choosel MUX)] 
A_mux4(choosel MUX)] 


[A_majority(comp MAJ1), A.majority (comp MAJ2) , A.majority (comp MAJ3)] 
scheduler s in 3 s [Advance. controller] 
scheduler s in t = [] 


| | * = * = * = * = * = + = * = *:=:* = * = * = * = * = *=:*:=* = * = * = * = * = * = * = * = * = *:=*-- 
|| Proper state predicates, 
is.proper. state 's' : == 

4 is.proper.contr (current s Controller) 4 = 'True 4 
k 4 is.proper.majority (current s (C.majority MAJ1))' s 'True 4 

k 4 is.proper.majority (current s (C.majority MAJ2)) 4 = 'True 4 

k 4 is.proper.majority (current s (C.majority MAJ3))' = 'True' 

k 4 is.proper.mux4 (current s (C.mux4 MUX))' = 'True' 
k 4 is.proper.bytereg (current s (C.bytereg PR1))' = 'True 4 

k 4 is.proper.bytereg (current s (C.bytereg PR2))' = 'True' 

k 4 is.proper.bytereg (current s (C.bytereg PR3))' = 'True 4 

k 4 is.proper.bytereg (current s (C.bytereg R12))' = 'True' 

k 4 is.proper.bytereg (current s (C.bytereg R13)) 4 = 'True' 

k "is.proper.bytereg (current s (C.bytereg R21)) 4 = 'True' 

k 4 is.proper.bytereg (current s (C.bytereg R23))' ■ 'True' 

k 4 is.proper.bytereg (current s (C.bytereg R31))' = 'True' 

& 4 is.proper.bytereg (current s (C.bytereg R32))' = 'True' 

k 4 is.proper.bit latch (current s (C.bitlatch VS))' = 'True' 

k 4 is.proper.bitlatch (current s (C.bitlatch ST))' = 'True' 

Proper. state 4 s 4 
'pending. changes s 4 = 4 G ' 
k is.proper.state 's' 

k Goodmajority 4 getmaj or ity state (current s (C.majority MAJ1))' 

'getmajorityoutO( current s (C.majority MAJ1)) 4 
' getmaj or ityoutl (current s (C.majority MAJ1))' 
k Goodmajority 'getmajoritystate(current s (C.majority MAJ2))' 

' getmaj orityoutO( current s (C.majority MAJ2)) 4 
'getmaj or ityoutl (current s (C.majority MAJ2))' 
k Goodmajority 4 getmaj oritystate (current s (C.majority MAJ3))' 

'getmaj or ityoutO (current s (C.majority MAJ3))' 
4 getmaj orityoutl (current s (C.majority MAJ3))' 
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& Goodbytereg f getbyteregstate (current s (C.bytereg PR1))' 

'getbyteregoutO(current s (C.bytereg PR1))' 
f gGtbyterGgoutl (current s (C.bytereg PR1))' 
'ft Goodbytereg f getbyteregstate (current s (C.bytereg PR2))' 

'getbyteregoutO (current s (C.bytereg PR2))' 
'getbyteregoutl (current s (C.bytereg PR2))' 
ft Goodbytereg 'getbyteregstate (current s (C.bytereg PR3))‘ 

'getbyteregoutO (current s (C.bytereg PR3))' 
'getbyteregoutl (current s (C.bytereg PR3))' 
ft Goodbytereg 'getbyteregstate (current s (C.bytereg R12))' 

< gGtbyteregoutO(current s (C.bytereg R12))' 
'getbyteregoutl (current s (C.bytereg R12))' 
ft Goodbytereg 'getbyteregstate (current s (CLbytereg R13))' 

'getbyteregoutO( current s (CLbytereg R13))' 
'getbyteregoutl (current s (CLbytereg R13))' 
ft Goodbytereg 'getbyteregstate (current s (CLbytereg R21))' 

'getbyteregoutO (current s (CLbytereg R21))' 
'getbyteregoutl (current s (C.bytereg R21))' 
ft Goodbytereg 'getbyteregstate (current s (CLbytereg R23))' 

'getbyteregoutO (current s (C.bytereg R23))' 
'getbyteregoutl (current s (C.bytereg R23))' 
ft Goodbytereg 'getbyteregstate(current s (C.bytereg R31))' 

'getbyteregoutO(current s (C.bytereg R31))' 
'getbyteregoutl (current s (CLbytereg R31))' 
ft Goodbytereg 'getbyteregstate(current s (C.bytereg R32))' 

'getbyteregoutO (current s (CLbytereg R32))' 
'getbyteregoutl (current s (CLbytereg R32))' 
ft Goodbitlatch 'getbitlatchstate(current s (C.bitlatch VS))' 

'getbitlatchoutO(current s (C.bitlatch VS))' 
ft Goodbitlatch 'getbitlatchstate(current s (C.bitlatch ST))' 

'getbitlatchoutO(current s (C.bitlatch ST))' 

& Proper. External 's' 

Ilclio: symbol Proper.state extend.auto 

Ilclio: symbol pending.changes extend. auto 

| | * = * = * = * = * = * = * = * = * = * = * = * = * = * = *:=* = *:=*:=*:=* = *=:*=:* = *=:* = *-- 

I | For export to other modules, we define functions 

I I access the internal state of each component that has one. 

get. MAJ1. state s = getmajority state (current s (C.majority MAJ1)) 
get.MAJ2.state s = getmajoritystate (current s (C.majority MAJ2)) 
get_MAJ3. state s = getmajoritystate (current s (C.majority MAJ3)) 
get.PRl.state s = getbyteregstate (current s (C.bytereg PR1)) 

get. PR2. state s = getbyteregstate (current s (C.bytereg PR2)) 

get.PR3.state s = getbyteregstate (current s (C.bytereg PR3)) 

get. R12. state s = getbyteregstate (current s (C.bytereg R12)) 

get. R13. state s = getbyteregstate (current s (C.bytereg R13)) 

get. R21. state s = getbyteregstate (current s (C.bytereg R21)) 

get_R23. state s = getbyteregstate (current s (C.bytereg R23)) 

get. R31. state s = getbyteregstate (current s (C.bytereg R31)) 

get. R32. state s = getbyteregstate (current s (C.bytereg R32)) 

get. VS. state s = getbitlatchstate (current s (C.bitlatch VS)) 
get.ST.state s = getbitlatchstate (current s (C.bitlatch ST)) 

| | *=*=*=*=*=*=*=*=+=*=*=*=*=*=*=*=*=:*=*=*=*=*=*=*=*=* — 

II Auxiliary definitions, 
type bitvec » [BOOL] 
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dataof <<data, bit>> = data 
bitof <<data, bit>> « bit 

|| ** Should this be majority.does.not.exist ? ** 

majority. exists ini in2 in3 - (ini = in2) I (ini = in3) I (in2 = in3) 
majority. of ini in2 in3 = (inl = in2 -> ini; (inl=in3 -> ini; in2)) 

isbitvector n bitvec = (n = ## bitvec) 

ready .to. send s - (s=0UTl) I (s=0UT2) 
voter.free s = s^LDPl 

from.proc «pl,p2,p3,vl > v2,v3,go» = «pl ,p2,p3,go» 
from.vtrs <<pl ,p2,p3,vl ,v2,v3,go>> » <<v3,v2,vl>> 

| | *=*=*=* sr*=*=* = * = * = * = * = * = ^ = ^ = * = * = *=* = * = * = *=* = , * t = , » t = : * = **“* 

|| The outpoints and loop conditions. 

CUTPOINT start 

at. start s = start. state (controllerstate s) 


start. state LDP1 = True 
start. state x = False 


PATH ::= startPATHO |+ 
path. start staxtPATHO = start 
path.end startPATHO = start 
path.length startPATHO * #11 


path.condition * startPATHO* 
TRUE 

& ( controllerstate s^'LDPl* 


& controiXerst at e s , v \ \ w * f 

k ‘"(startedof (controllerinput (iterate Execute (#1) s))) - False 

. _ t- * /ma ^ . 'N ( — < T HDO ( 


_ ‘controllerstate 
ft ‘controllerstate 
& ‘controllerstate 
ft 'controllerstate 
k ‘controllerstate 
k ‘controllerstate 
k ‘controllerstate 
ft ‘controllerstate 
ft ‘controllerstate 
ft ‘controllerstate 


(iterate Execute (#1) s 
(iterate Execute (#2; s 
(iterate Execute (#3) s 
(iterate Execute (#4) s 
(iterate Execute (#5) s 
Literate Execute (#6) s 
(iterate Execute (#7 
(iterate Execute (#8) s 
(iterate Execute (#9) s 
(iterate Execute (#10) 


=‘LDP2‘ 
=‘XNG11‘ 
=‘XNG12‘ 
=‘XNG21 ‘ 
= ‘ XNG22 ‘ 
=‘XNG31 ‘ 
= ‘ XNG32 ‘ 
■ ‘ CMPP ‘ 

, = ‘ 0UT1 ‘ 
s V = ‘ 0UT2 ‘ 


PATH ::= startPATHl |+ 
path.start startPATHl = start 
path.end startPATHl = start 
path.length startPATHl * #1 


path.condition ‘startPATHl* ‘s‘ :== 

TRUE 

ft ‘controllerstate s‘='LDPl‘ . ^ 

ft “(startedof (controllerinput (iterate Execute (#1; 


s)))‘=‘True‘ 


Invariant ‘p‘ ‘s‘ := TRUE 
PATH ::= I 

Advance.Relation *pl‘ *p2‘ ‘sl‘ ‘s2‘ := TRUE 
path.precond ‘path* ‘s‘ := 

‘ !path‘=‘True‘ 
ft path.condition ‘path' ‘s‘ 
ft Invariant ‘path.start path* 's‘ 
llclio: sy path.precond extend 
jjclio: sy Invariant extend 

path.postcond ‘path* *s‘ := 
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Invariant 'path.end path' 'iterate Execute (path.length path) s' 
ft Advance.Relation 'path. start path' 'path.end path' 

's' 'iterate Execute (path.length path) s' 

VC 'path' 's' := 

path.precond 'path' 's' => path.postcond 'path' 's' 

VC.ok 's' :== (path) VC 'path' 's' 

VC.ok.lemma :== Proper. state 's' => VC. ok 's' 

Timing.ok 's' :== 

Proper. st ate 'Execute s' 

Timing.ok.lemina :=* 

Timing. ok 's'. Proper. state 's' 

Timing. ok. case 's' : == 

Timing.ok 's', 'controllerstate s'='c' 

Timing.ok.by.cases :== Proper. state 's' s > Timing.ok.case 's' 


4 FtCayuga Specification 


In the following the functions that are used in both the abstract as well as the design 
specifications are given in a separate section. 


4.1 Abstract Specification 


FROM CommonTheorySec IMPORT data.to.addr , data.to.regaddr , byte.num.byte.inc , 

f ood, reset_to_addr, inc.data, LSB, 

I F , J IT , JMP , SADD , MO VE , ICOP , P VT . STATUS . VT1 , VT2 , 

VT3, BYTEO, dstof .opclassof , opcodeof, update .protected , 
data, regaddr, addr, sregaddr, data_to_sregaddr DATUM, 
Word, set .byte, data.false, getbyte, get.byte, byte 
FROM CommonPartSec IMPORT current .result , interruptof, 

FROM FtCayugaDesignSec IMPORT Execute, Proper.state, get.HAND.state, 

controllerstate, get.NXPC.state, get.RSLT.state, 
get.DST.state, get.IREG.state, get.MEM.state, 
get.REG.state , get.INST.state, get.SREG.state , 
get_BC_state,inlist_from, 

WBA , WBS , WB J , WBL , DF , DFI , INTF , INTC , OP.switch , 

STATE , CONTROLSTATE , EXTSTATE , time.abs, vtrs.update 

II Now we define a partial abstraction, FtCayugaABS, of the ftCayuga state 
jj and a corresponding version, FtCayugaStep , of the Execute function. 

type FTCAYUGASTATE = <<C0NTR0LSTATE, data, data, data, data, 

addr ->data, data, regaddr -Mata, data, 
sregaddr->data,byte_num>> 

FtCayugaABS s = 

«controllerstate s, get.IREG.state s, get.DST.state s, 
get.RSLT.state s, get.HAND.state s, get.MEM.state 8, 
get.NXPC.state s, get.REG.state s, get.INST.state s, 
get.SREG.state s, get.BC.state s>> 

FtlnputABS s * time.abs (inlist.from s) 
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1 | Selector functions on the FTCAYUGASTATE : 

controf <<cs , irg, dst , rslt , hnd, mem, nx,reg, inst , sreg, bc>> - cs 
iregof <<cs , irg, dst , rslt ,hnd,mem,nx ,reg , inst , sreg, bc>> = irg 

dst.of <<cs,irg,dst , rslt , hnd, mem, nx.reg, inst , sreg, bc>> - dst 

rsltof <<cs, irg, dst ,rslt,hnd, mem, nx,reg, inst, sreg,bc>> = rslt 
handof «cs , irg , dst , rslt , hnd, mem, nx ,reg, inst , sreg, bc» - hnd 
memof «cs , irg, dst ,rslt , hnd, mem,nx,reg, inst ,sreg,bc» = mem 
nxpcof «cs, irg, dst, rslt, hnd, mem, nx,reg, inst, sreg, bc» = nx 
regof <<cs, irg, dst, rslt, hnd, mem, nx,reg, inst, sreg, bc>> = reg 
inst.of <<cs, irg, dst , rslt , hnd, mem, nx,reg, inst, sreg, bc>> = mst 

sregof <<cs,irg, dst , rslt , hnd, mem, nx,reg, inst, sreg, bc>> = sreg 

bytecount «cs, irg, dst , rslt, hnd, mem,nx,reg, inst , sreg, bc» = be 

FtCayugaStep s in = 

<<newcontr (controf s) (interruptof in) (iregof s) , 
newireg (controf s) (interruptof in) s, 
newdst (controf s) (dst.of s) (iregof s) , 
newrslt (controf s) s, . 

newhand (controf s) (interruptof in) (handof s; , 

newmem (controf s) s, 

newnxpc (controf s) (interruptof in) s, 
newreg (controf s) s, 

newinst (controf s) (inst.of s) (iregof s) , 
newsreg (controf s) in s , 
newbc s>> 

| | ++++++++++ *+*+***+*+_next control state ******+************************** 

newcontr WBS in irg = in->DFI;DF 

newcontr WBL in irg = in->DFI;DF 

newcontr DFI in irg = INTF 

newcontr INTF in irg = INTC 

newcontr INTC in irg = active.nextstate False irg 
newcontr cs in irg - active. nextstate in irg 

active.nextstate in ireg = 

in->INTF; (OP.switch (opclassof (opcodeof ireg))) 

| | ++*+*+++***+++****** next ireg state ********************************* 
newireg WBS in s = iregof s 

newireg WBL in s = iregof s 

newireg WBA in s = memof s (data_to_addr(next_nxpc in (nxpcof s))) 

newireg WBJ in s = memof s (data.to.addr (jmpnxpc in s)) 

newireg DFI in s = memof s (data.to.addr (handof s)) 

newireg DF in s = memof s (data_to_addr(next_nxpc in (nxpcof s))) 

newireg INTF in s = memof s (data.to.addr (iregof s)) 

newireg INTC in s * memof s (data.to.addr (inc.data (nxpcof s))) 


jmpnxpc in s = 

^ jump^cond(inst^of X s] (regof s)(dst_of s))-> (rsltof s) ; (inc.data (nxpcof s)) 


jump.cond inst reg dst = 

((opcodeof inst)=JMP) „ , 

xor (((opcodeof inst)=JIT) k (LSB(reg (data.to.regaddr dst)))) 
xor (((opcodeof inst)=JIF) k "(LSB(reg (data.to.regaddr dst)))) 

||******************** next dst state ********************************* 

newdst WBS dst ireg = dst 

newdst WBL dst ireg = dst 

newdst INTF dst ireg = dst 

newdst cs dst ireg = dstof (ireg) 

H******************** next rslt state ********************************* 
newrslt WBS s = rsltof s 
newrslt WBL s = rsltof s 
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newrslt INTF s = rsltof s 
newrslt WBA s - 

current. result <<memof s.nxpcof s,wba.reg s,iregof s, sregof s, n» 
newrslt cs s = 

current. result <<memof s, nxpcof s, regof s,iregof s, sregof s,[]>> 

wba.reg s = regof s t opcodeof (inst.of s) » SADD 

update (regof s) (data.to.regaddr (dst.of s)) (rsltof s) 

| |******************** next hand state ********************************* 

newhand DFI in h = h 

newhand INTF in h = h 

newhand cs in h = reset.to.addr in 


| | ******************** next mem state ********************************* 
newmem WBS s = update (memof s) (data.to.addr (rsltof s)) 

(regof s (data.to.regaddr (dst.of s))) 

newmem cs s = memof s 

| | ******************** nex t nxpc state ********************************* 

newnxpc WBS in s - nxpcof s 

newnxpc WBL in s 5 nxpcof s 

newnxpc WBA in s » next. nxpc in (nxpcof s) 

newnxpc WBJ in s - jmpnxpc in s 

newnxpc DFI in s » handof s 

newnxpc DF in s = next.nxpc in (nxpcof s) 

newnxpc INTF in s = iregof s 

newnxpc INTC in s = inc.data (nxpcof s) 

next.nxpc in nxpc * in-> (reset.to.addr in) ; (inc.data nxpc) 

| | ******************** next reg state ********************************* 
newreg WBL s = 

update (regof s) (data.to.regaddr (dst.of s)) 

(memof s (data.to.addr (rsltof s))) 
newreg WBA s = wba.reg s 
newreg cs s = regof s 

| | * ******************* next inst state ********************************* 
newinst INTF inst ireg = inst 
newinst cs inst ireg = ireg 

| | ******************** nex t sreg state ********************************* 
newsreg WBA in s = 

update (special. update s in) (data.to.sregaddr (dst.of s)) (rsltof s) 

, (opcodeof (inst.of s) = SADD) ft "(protected(data_to_sregaddr (dst.of s))) 
special. update s in 
newsreg cs in s = special.update s in 

special. update s <<r , vl ,v2, v3, [stl ,st2] >> = 

ic.update (sregof s) (bytecount s) vl v2 v3 , ic.data.ready stl 
status.update (sregof s) stl , ic.cycle.completed (sregof s) stl 
status. clear (sregof s) , (voter.free stl) k (opcodeof (inst.of s) = ICOP) 
sregof s 

special.update s in = sregof s 

msbof, next2msbof :: byte -> BOOL 

ic.data.ready stl = "(msbof stl) k (next2msbof stl) 

ic.cycle.completed sreg stl = (msbof stl) k "(msbof (get.byte 3 (sreg STATUS))) 
voter.free stl = (msbof stl) 

I I status. clear resets the msb of (sreg STATUS) 
status.clear sreg = update sreg STATUS data.false 

I I status update sreg updates the STATUS register in sreg to stl 
status.update sreg stl = update sreg STATUS (DATUM (Word stl stl stl stl)) 
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I | ic.update updates the three ic registers in sreg 
ic_update sreg b vl v2 v3 = 

update (update (update sreg VT1 (update.bytes b (sreg VT1) vl)) 

VT2 (update.bytes b (sreg VT2) v2)) 

VT3 (update.bytes b (sreg VT3) v3) 

byte.inc2 = byte.inc .byte.inc 
byte_inc3 = byte.inc .byte.inc2 
update.bytes b w [vl,v2] « 

set.byte b (set.byte (byte.inc3 b) w vl) v2 

| |******************** next be state ******************************** 
newbc s * byte.inc(byte.inc (bytecount s)) 
newbc s = byte.inc(byte.inc (bytecount s)) 

**********^*****^*^***************^************************************* 
the output functions 
clio: add vstartout 

vstartout s= 

fourphase (ic. initiate (controf s) (inst. of s) (sregof s STATUS)) 
stat.byte <<r ,vl ,v2,v3,st>> = hd st 

i r ini t i at o d i net" ot s 

(estate = WBA) k (opcodeof inst = ICOP) k (msbof (getbyte BYTEO st)) 


prvtout s = pad [(getbyte (byte.inc (bytecount s)) (sregof s PVT)), 

(getbyte (byte.inc (byte.inc (bytecount s))) (sregof s PVT))] 

pad [a,b] = <<a,a,b,b>> 
fourphase a = <<a,a,a,a>> 

N ****************^^****************** ***************************** ******* 
Properness predicate: 

Goodmem := (x: : addr) ‘good (s x)‘=‘!!x‘ & c ! (s x)‘=‘!!x‘ 

Goodregfile 's‘ := (x: :regaddr) ‘good(s x)‘=‘!x‘ k ‘ ! (s x)‘=‘!x‘ 

Goodsregfile ‘s‘ := (x: isregaddr) ‘good(s x)‘=‘!x‘ k ' ! (s x)‘=‘!x‘ 

Proper.ftcayuga * <<cstate , ireg,dst ,rslt , hand, mem, nxpc ,reg, inst ,sreg,bc>> 1 : = 

‘! estate' = ‘True' 
k ‘good ireg‘ = ‘True‘ 
k ‘good dst Y = ‘True‘ 
k ‘good rslt' = ‘True‘ 
k ‘good hand‘ * ‘True' 
k Goodmem ‘mem‘ 
k ‘good nxpc‘ = ‘True‘ 
k Goodregfile ‘reg‘ 
k ‘good inst‘ * ‘True' 
k Goodsregfile ‘sreg‘ 
k ‘ !bc‘ = ‘ True ‘ 

good.f tcayuga.in <<r,vl ,v2, v3, [stl ,st2] >> - 

!r k ( (ic. data. ready stl)->(good_voter.vals vl v2 v3) ;True) 

good.voter.vals [vll,vl2] [v21,v22] [v31,v32] = 

! vll k !vl2 k ! v21 k !v22 k !v31 k !v32 

Proper. ftcayuga.lemma := 

(Proper.ftcayuga ‘s ‘ k ‘good. ft cayuga. in in‘=‘True‘) 

=> Proper.ftcayuga ‘FtCayugaStep s in‘ 

I | Stuff we need about the function "statusvord" 
type threebit * <<B00L,B00L,B00L>> 

stwdl , stwd2 : : «threebit ,threebit»->«B00L,B00L>>->«B00L,B00L»->byte 
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statusword x y z = [stwdl x y z, stwd2 x y z] 

I | Some lemmas about the PVT register 
newPVT s = 

((opcodeof (inst.of s) = SADD)ft ( (data_to_sregaddr (dst_of s))=PVT) 
& ((controf s)=WBA)) 

-> (rsltof s); sregof s PVT 


PVT.lemmal :« 'ic.update sreg b vl v2 v3 PVT'='sreg PVT' 

PVT_lemma2 :== 

* special_update s <<r ,vl ,v2,v3, [stwdl x <<fr,y>> <<snd,z>> ,st2] >> PVT' 

=' sregof s PVT* 

, Mfr 4 !snd k !(inst_of s) ft (good (sregof s STATUS)) '= 'True' 

PVT_lemma3 : *= 

'sregof (FtCayugaStep s <<r, vl ,v2,v3, [stwdl x <<fr,y>> «snd,z>>,st2]>>) PVT' 

= r newPVT s' 

, '!fr ft !snd k ! (inst^of s )ft ! (dst.of s) k (good (sregof s STATUS)) '= 'True' 
newPVT2 s in * 

((opcodeof (newinst (controf s) (inst_of s)(iregof s)) = SADD) 

k ((data_to_sregaddr (newdst (controf s) (dst_of s)(iregof s)))=PVT) 
k ((newcontr (controf s) in (iregof s))=WBA)) 

-> (newrslt (controf s) s) ; newPVT s 
PVT_lemma4 := 

'newPVT (FtCayugaStep s <<r,vl ,v2,v3, [stwdl x <<fr,y>> <<snd,z>> ,st2] >>) ' 

= 'newPVT2 s r' 

, '!fr k !snd k ! (inst_of s )k ! (dst.of s) k (good (sregof s STATUS)) '= 'True' 
II Some lemmas about the VT1, VT2, VT3 registers 
VT123_lemmal :== 

'newsreg cs in s v'='special_update s in v' 

, ('v'='VTl'\/ ' v'='VT2' \/ ' v'= ' VT3 ' ) 

ft '!cs ft !(inst_of s) ft ! (dst_of s)'='True' 


4.2 Design Specification 


FROM CommonTheorySec IMPORT data,byte,nodata,opcode,addr,regaddr ,sregaddr , 

good, opcodeof, indirect, srciof ,src2of ,dstof , 
data_to_addr , data_to_regaddr , data_to_sregaddr , 
reset _to_addr , regaddr_to_sregaddr , byte_num , 
update, inc_data, add.data, sub.data, cne_data, LSB, 
ACL ASS , JCLASS , SCLASS , LCLASS , opclassof 
LD, ST, ADD, JMP, JIT, JIF, CNE, MOVE, SADD, 

P VT , VT 1 , VT2 , VT3 , STATUS , prot e c t ed , 

BYTEO, set^byte, getbyte, byte.inc 
FROM CommonPartSec IMPORT Step, prefetch, current.opclass , 

current_dst , current_result 

clio: add OP.switch 

clio: modify "OP.switch" off 

clio: add vtrs.update 

clio: modify "vtrs.update" off 

Generated by the spectool 
clio: symbol Execute never 
clio: mod * off 
clio: add * 
clio: mod * on 

* = * = * = * = * = *=:* = * = * = * = * = * = * = ♦=:*=:* = * = * = * = * = * = * = * = * = * = *-- 
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I | The Controller. 


COMP Controller |+ 

ACTION : := Advance. controller I + 

CONTROLSTATE : : type 

LOCAL.STATE : S.Controller ! CONTROLSTATE |+ 
getcontrolstate (S.Controller x) = x 
is.proper.contr (S. Controller x) = !x 
I I clio: sy is.proper.contr extend 

controllerstate s = getcontrolstate (current s Controller) 

effect Advance. controller sc= , , . _ 

S.Controller (nextstate (controllerstate s) (controllermput s)) 

delay Advance. controller = #0 
component Advance. controller = Controller 


controllerinput s = 

<<getbitlatchoutO (current s (C.bitlatch RESET)), 
opcodeof (getlatchoutO (current s (C.latch INST))), 
getdecoderoutO (current s (C. decoder DEC)), 
get decoderout 1 (current s (C. decoder DEC)), 
getmatcheroutO (current s (C.matcher MTCH)), 
getmatcheroutl (current s (C.matcher MTCH)), 
getregf ileout2 (current s (C.regfile REG))>> 

| | *=*=*=*=*=*=*= *=*=*=*=*=*=*=*=*=*==*=*=*=*=*=*=*=*=* — 

I | The Control states and the next. state function. 

resetof <<reset, inst, op, ind, eql, eq2, cc>> = reset 
instof <<reset, inst, op, ind, eql, eq2, cc>> = inst 
opof <<reset, inst, op, ind, eql, eq2, cc>> = op 
indof <<reset, inst, op, ind, eql, eq2, cc>> = ind 

eqlof <<reset, inst, op, ind, eql, eq2, cc>> = eql 

eq2of <<reset, inst, op, ind, eql, eq2, cc>> = eq2 

ccof <<reset, inst, op, ind, eql, eq2, cc>> = cc 


in 


CONTROLSTATE 
nextstate WBS 
CONTROLSTATE 
nextstate WBL 
CONTROLSTATE 
nextstate WBA 
CONTROLSTATE 
nextstate WBJ 
OP. switch x = 
WBA, x = ACLASS 
WBS, x = SCLASS 
WBL, x = LCLASS 
WBJ 

CONTROLSTATE 


WBS | + 

= ((resetof 
:= WBL |+ 
in ■ ((resetof 
:= WBA |+ 
in = ((resetof 

:= WBJ 1+ 

= ((resetof 


in 


in) ) -> (DFI) ; (DF) 
in))->(DFI);(DF) 

in))->(INTF) ; (OP.switch (opclassof (opof in))) 
in))->(INTF) ; (OP.switch (opclassof (opof in))) 


= DFI | + 


nextstate DFI in s INTF 

CONTROLSTATE DF |+ ^ w ^ 

nextstate DF in = ((resetof in))->(INTF) ; (OP.switch (opclassof (opof in))) 

CONTROLSTATE : : = INTF I + 
nextstate INTF in » INTC 

CONTROLSTATE : : = INTC I + , , ^ . 

nextstate INTC in = OP.switch (opclassof (opof in)) 


CONTROLSTATE : : = I 

| | *=:* = * = * = * = * = * = *=* = * = * = * = * = *=*=:* = * = * = * = *==* = * = * = * = *=* 

I | The component External . 


type EXTSTATE = «B00L, byte, byte, byte, byte» 

external. input.reset <<x0, xl, x2, x3, x4>> = xO 
external. input. vl «x0, xl, x2, x3, x4» = xl 

external. input. v2 <<x0, xl, x2, x3, x4>> - x2 

external. input. v3 <<x0, xl, x2, x3, x4>> = x3 
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external.input.ST <<xO, xl, x2, x3, x4>> = x4 

is.proper.ext <<x0, xl, x2, x3, x4>> = (!x0) & (!xl) & (!x2) & (!x3) & (!x4) 
llclio: sy is.proper.ext extend 

current. input <<s,p,in>> = in Zero 
nth.input n <<s,p,in>> = in n 
llclio: sy Proper. External extend 
Proper.External f <<s,p,in>>‘ := 

(t::NAT) * is. proper, ext (in t) <JS< True‘ 

| | * = * = * = * = * = * = * = * = *=* = * = * = * = * = * = * = * = * = * = * = * = *:=*:=* = * = * — 

II There are 4 clock phases per cycle. 

num. phases = 4 

input .phases = [#0, #1, #3] 

output. phase 1 « True 
output. phase 3 s True 
output. phase n = False 

| | * = * = * = * = * = *=* = * = * = * = *=* = * = * = * = * = *S^ = * = *==* = * = * = *=* = * 

II The generic Execute function. 

type SYSTEM. STATE = CDMP->LOCAL.STATE 

type INPUT. STREAM = NAT->EXTSTATE 

type CHANGE = «COMP,NAT,LOCAL.STATE» 

type STATE = <<SYSTEM. STATE, [CHANGE], INPUT.STREAM» 

pending. changes <<s,p,in>> = p 

current <<s,p,in>> c = bottom, pending p c 

sc 


pending [] c = False 

pending (<<c ,t , v>> :rest) c = True 

pending (<<c2,t ,v>>:rest) c = pending rest c 

Execute s = do.phases 0 s 


do.phases n s = update. state s , n = num.phases 
do.phases (n+1) (do.phase n s) 

Output s = generate. output 0 s 


generate. output n s {n^num.phases} = [] 
generate. output n s {output. phase n} = 

Qut(do.phase n s) : generate. output (n+1) (do.phase n s) 
generate. output n s = generate. output (n+1) (do.phase n s) 

llclio: modify.rule "do.phases" count 20000 
llclio: symbol do.phases never 

update. state <<s,p,in» = do.changes p <<s f [],in>> 
do.phase n <<s,p,in>> = 

advance. input stream (do.actions (current. schedule s2 n) s2) 
where s2 = update. state <<s,p,in>> 

cur rent. schedule s n = scheduler (controllerstate s) (controllerinput s) n 

do. change <<c,Zero,v» <<s,p,in>> = <<update s c v, p, in>> 
do. change «c,Succ n,v» «s,p,in» = <<s, «c,n,v»:p, in» 

do.action a s = do.change (change.of a s) s 
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advance. inputstrearo <<s,p,in>> = <<s ,p , in . Succ>> 

change. of a s = <<component a, delay a, effect a s (component a)>> 
do. changes [] s = s 

do. changes (<<c,t,v>>rrest) s ■ do. changes rest (do. change <<c,t,v>> s) 

I | This is a trick to handle conditional actions correctly 
do actions :: [ACTION] ->STATE->STATE 
AXIOM (sVdo.actions □ s' = ‘s f . £ 

AXIOM (a) (rest) (s) 'do. actions (arrest) s‘ = ‘do.actions rest (do. action a s) 
update s c v c2 = (c=c2)->v; s c2 

foldl op s [] = s 

foldl op s (arrest) = foldl op (op a s) rest 

map f n ■ n 

map f (arx) = (f a) r (map f x) 
list.to Zero = [] 

list.to (Succ n) = list.to n ++ [n] 
iterate f Zero s = s 

iterate f (Succ n) s = iterate f n (f s) 

| I * = * = * = * = * = * = * = * = *:=* = * = * = * = * = * = * = * = * = * = * = * = * = *:=* = *=* 

|| Component Classes. 

H *=*=*=*=*= *=*=*=*=*=*=*=*=*= *=*=*=*=*=*=*=*=*=*=*=*-- 
The component class latch. 

latch r : type 

type latch. localstate = <<data,data>> 

LOCAL STATE : := S. latch Hatch localstate | + 

ACTION : r = A. latch Hatch. ACT | + 
latch. ACT 
set Hatch 

latchdelay (set c) = #1 
latchcomp (set c) = C. latch c 

latchout (set c) s in = in 
latchstate (set c) s in = in 

effect (A. latch a) = latcheffect a 
delay (A. latch a) = latchdelay a 
component (A. latch a) = latchcomp a 
latcheffect asc= 

S. latch CClatchstate a (getlatchstate (current sc)) 

(latchinput s c) , 

latchout a (getlatchstate (current sc)) (latchinput s c)>> 
getlatchstate (S.latch <<x,y>>) = x 
getlatchoutO (S.latch <<x,y>>) = y 
is.proper.latch (S.latch <<x,y>>) = good y 
I I clio : sy is.proper.latch extend 
Goodlatch ‘s' ‘out‘r== ‘s‘=‘out‘ 

H *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 

The component class mux. 

mux : r type 

type mux. localstate = data 

LOCAL. STATE S.mux ! mux localstate |+ 

ACTION r:= A.mux !mux.ACT T+ 
mux. ACT r r = 
choose3 !mux I 
choose2 !mux I 
choosel !mux 

muxdelay (choose3 c) = #0 

muxcomp (choose3 c) = C.mux c 

muxout (choose3 c) <<inl f in2,in3>> = in3 
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muxdelay (choose2 c) = #0 

muxcomp (choose2 c) = C_mux c 

muxout (choose2 c) <<inl , in2 , in3>> = in2 

muxdelay (choosel c) = #0 

muxcomp (choosel c) = C_mux c 

muxout (choosel c) <<inl , in2, in3>> * ini 

effect (A.mux a) * muxeffect a 

delay (A.mux a) * muxdelay a 

component (A_mux a) = muxcomp a 

muxeffect a s c *= S.mux (muxout a (muxinput sc)) 

getmuxoutO (S.mux y) * y 

is_proper_mux (S_mux y) = good y 

I I clio: sy is_proper_mux extend 

H *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 

The component class mem. 

mem : : type 

type mem.localstate = <<addr->data,data>> 

LOCAL_STATE S_mem !mem localstate |+ 

ACTION ::= A.roem !mem_ACT T+ 
mem_ACT ::= 
write !mera | 
read !mem 

memdelay (write c) = #2 

memcomp (write c) = C_mem c 

memout (write c) s <<aval ,dval>> = nodata 

memstate (write c) s <<aval ,dval>> = update s aval dval 

memdelay (read c) = #2 

memcomp (read c) = C_mem c 

memout (read c) s <<aval ,dval>> = s aval 

memstate (read c) s <<aval ,dval>> = s 

effect (A_mem a) * memeffect a 
delay (A_mem a) « memdelay a 
component (A.mem a) = memcomp a 
memeffect a s c = 

S_mem <<memstate a (getmemstate (current s c)) (meminput s c) , 
memout a (getmemstate (current sc)) (meminput s c)>> 
getmemstate (S„mem <<x,y>>) = x 
getmemoutO (S_mem <<x,y>>) = y 
is_proper_mem (S_mem <<x,y>>) = ! y 
I I clio: sy is_proper_mem extend 

Goodmera 's' 'out':*- (x: :addr) 'good (s x)‘='!x' ft ' ! (s x)'='!x' 

N *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=:*=*=*=*=* — 

The component class regfile. 

regf ile : : type 

type regf ile_localstate = <<regaddr->data,<<data,data,BOGL>>>> 
L0CAL_STATE S.regfile ! regf ile.localst ate | + 

ACTION ::= A.regfile !regfile_ACT |+ 
regfile.ACT : 
load ! regfile I 
d_unload ! regfile I 
unload ! regfile 

regfiledelay (load c) * #1 
regfilecomp (load c) = C.regfile c 
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regfileout (load c) s <<srcl ,src2 ,dst ,dval>> = «nodata, nodata, False>> 
regfilestate (load c) s <<srcl ,src2 ,dst ,dval» = update s dst dval 

regfiledelay (d.unload c) = #1 
regfilecomp (d.unload c) = C.regfile c 

regfileout (d.unload c) s «srcl ,src2,dst ,dval» = «s dst, nodata, False» 
regfilestate (d.unload c) s <<srcl ,src2 ,dst ,dval» = s 

regfiledelay (unload c) * #1 

regfilecomp (unload c) = C.regfile c 

regfileout (unload c) s <<srci,src2,dst,dval» = 

<<s srci, s src2, LSB (s dst)» 
regfilestate (unload c) s «srcl ,src2,dst ,dval» = s 


effect (A.regfile a) = regf ileeff ect a 
delay (A.regfile a) = regfiledelay a 
component (A.regfile a) = regfilecomp a 
regf ileeff ect a s c = 

S regf ile <<regf ilestate a (getregf ilestate (current sc); 

(regf ileinput s c) , 

regfileout a (getregf ilestate (current sc)) 

(regf ileinput s c)>> 


getregf ilestate (S.regfile <<x,y>>) = x 
getregf ileoutO (S.regfile <<x,<<y0,yl,y2>> >>) — yO 

getregf ileoutl (S.regfile <<x,<<yO,yl ,y2>> >>) = yl 

getregf ileout2 (S.regfile <<x,<<yO,yl ,y2>> >>) = y2 

is.proper.regf ile (S.regfile «x , «y0 ,yl ,y2» ») = (! yO) ft 
I | clio: sy is.proper.regf ile extend 

Goodregfile ‘s‘ ‘opl‘ ‘op2‘ , cc‘:== w , , 

(x : :regaddr) ‘good(s x)‘=‘!x‘ ft ‘ ! (s x) - !x 


(! yl) & (! 


y2) 


*=:* = * = * = * = *=: 4 : = * = *=:* = * = * : =*= : * = * = *= : *-*-*-*-* = * — 

The component class decoder. 


decoder :: type . ^ __ 

type decoder. locals t ate = «opcode,BOOL,data,regaddr ,data» 

LOCAL STATE : := S.decoder ! decoder localstate |+ 

ACTION A.decoder ! decoder. ACT 1+ 
decoder. ACT : := 
decode ! decoder 

decoderdelay (decode c) = #0 
decodercomp (decode c) = C.decoder c 

decoderout (decode c) in ■ . , , . , , ■ i.ss 

<<opcodeof in, indirect in, dstof m, srclof in, src2of in>> 

effect (A decoder a) = decoderef f ect a 
delay (A.decoder a) = decoderdelay a 
component (A.decoder a) = decodercomp a 
decodereffect a s c = S.decoder (decoderout a 
getdecoderoutO (S.decoder <<y0,yl ,y2,y3,y4>>) 
get decoderout 1 (S.decoder «y0,yl > y2 > y3,y4») 
getdecoderout2 (S.decoder <<yO f yl f y2,y3,y4>>) 
getdecoderout3 (S.decoder <<y0 ,y 1 ,y2 ,y3,y4>>) 
getdecoderout4 (S.decoder <<y0,yl ,y2,y3,y4>>) 

is proper.decoder (S.decoder <<y0,yl,y2,y3,y4>>) - N 

(! yO) & (! yl) ft (good y2) ft (! y3) ft (good y4) 

llclio: sy is.proper.decoder extend 


(decoderinput sc)) 
yO 

yl 
y2 
y3 
y4 


n * = * = *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* = *-*-* = *~* _ *~* = * 
The component class alu. 

alu : : type 
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type alu. localstate = data 

LOCAL. STATE : S.alu ! alu localstate 1+ 

ACTION A.alu ! alu ACT T+ 
alu. ACT ::= 
compare ! alu I 
subtract ! alu | 
add ! alu 

aludelay (compare c) » #2 
alucomp (compare c) = C.alu c 

aluout (compare c) <<opl,op2>> = cne.data opl op2 

aludelay (subtract c) = #2 
alucomp (subtract c) = C.alu c 

aluout (subtract c) <<opl,op2>> = sub. data opl op2 

aludelay (add c) = #2 
alucomp (add c) = C.alu c 

aluout (add c) <<opl,op2>> = add.data opl op2 

effect (A. alu a) » alueffect a 
delay (A. alu a) = aludelay a 
component (A. alu a) = alucomp a 

alueffect a s c = S.alu (aluout a (aluinput sc)) 
getaluoutO (S.alu y) = y 
is. proper. alu (S.alu y) = good y 
I I clio: sy is.proper.alu extend 


*=*=*=*=*=*=*=+=*=*=*=*=*: 
The component class inc. 


= * = * = * = * = * = *:=*-* = * = *-*-- 


inc : : type 

type inc. localstate = (data) 


LOCAL. STATE ::= 
ACTION : := A. inc 
inc. ACT ::= 
increment ! inc 


S.inc ! inc localstate 
line. ACT T+ 


1 + 


inedelay (increment c) = #1 
inccomp (increment c) = C.inc c 
incout (increment c) in * inc. data in 

effect (A.inc a) = inceffect a 

delay (A.inc a) « inedelay a 

component (A.inc a) * inccomp' a 

inceffect a s c = S.inc (incout a (incinput sc)) 

getincoutO (S.inc y) = y 

is.proper.inc (S.inc y) = good y 

llclio: sy is.proper.inc extend 


H * = * = * = * = * = * = * = * = * = * = * = * = * = *-*-* = * = * = * = *;-* = * = * = * = *=:*__ 

The component class matcher, 
matcher : : type 

type matcher. localstate = <«<BOOL,BOOL>> ,<<B00L,BQ0L>»> 

LOCAL. STATE S.matcher Imatcher.localstate |+ 

ACTION ::= A.matcher .'matcher.ACT T+ 
matcher. ACT 
match ! matcher 

matcherdelay (match c) = #1 
matchercomp (match c) - C.matcher c 
matcherout (match c) s <<srcl,src2,dst>> = 

<<srcl « data.to.regaddr dst, data.to.regaddr src2 « data.to.regaddr dst>> 
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matcherstate (match c) s <<srcl , src2 ,dst>> = 

<<srcl=data_to.regaddr dst ,data_to_regaddr src2 - data.to.regaddr dst>> 

effect (A.matcher a) = matcheref f ect a 
delay (A.matcher a) = matcherdelay a 
component (A.matcher a) = matchercomp a 
matcheref feet a s c = 

S .matcher <<matcherstate a (getmatcherstate (current sc); 

(matcherinput s c) , 

matcherout a (getmatcherstate (current sc)) (matcherinput s c)>> 
getmatcherstate (S.matcher <<x,y>>) = x 
getmatcheroutO (S.matcher <<x,<<yO,yl>> >>) = yO 

getmatcheroutl (S.matcher «x, <<yO,yl>> >>) = yl 

is.proper.matcher (S.matcher <<x,<<yO,yi>> >>) = (! yO) & (! yi) 

I I clio: sy is.proper .matcher extend 

H * = * = * = * = * = * = * = * = * = *=:* = * = * = * = * = * = * = * = *=* = *=:* = * = * = * = *--* 

The component class bitlatch. 
bitlatch : : type 

type bitlatch. localstate = <<B00L, (B00L)>> 

LOCAL_STATE S. bitlatch Ibitlatch localstate |+ 

ACTION ::= A.bitlatch Ibitlatch.ACT T+ 
bitlatch. ACT ::= 
setb Ibitlatch 

bitlatchdelay (setb c) = #1 
bitlatchcomp (setb c) = C. bitlatch c 
bitlatchout (setb c) s in. = in 
bitlatchstate (setb c) s in = in 

effect (A.bitlatch a) = bitlatchef f ect a 
delay (A.bitlatch a) = bitlatchdelay a 
component (A.bitlatch a) = bitlatchcomp a 
bitlatchef feet a s c - 

S. bitlatch CCbitlatchstate a (getbitlatchstate (current s c)) 

(bitlatchinput s c) , 

bitlatchout a (getbitlatchstate (current sc)) 

(bitlatchinput s c)>> 

getbitlatchstate (S. bitlatch <<x,y>>) = x 
getbitlatchoutO (S. bitlatch <<x,y>>) = y 
is.proper.bitlatch (S.bitlatch <<x,y>>) = ! y 
I I clio: sy is.proper.bitlatch extend 
Goodbitlatch 's' t out*:== ‘s'^'out* 

H *=* = *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=+=*=*:=*=*=*=*=*=* — 

The component class special. regf ile . 

special. regfile :: type 

type special.regf ile.localstate - <<sregaddr->data,<<(byte) , (data)>>>> 

LOCAL. STATE : := S.special. regf ile ! special.regf ile.localstate |+ 

ACTION ::= A.special. regf ile ! special.regf ile. ACT |+ 
special.regf ile. ACT ::= 
sunload ! special.regf ile I 
sread ! special.regf ile I 
sload ! special. regf ile 

special.regf iledelay (sunload c) = #1 

special.regf ilecomp (sunload c) = C.special. regf ile c 

special.regf ileout (sunload c) s <<dst, din, vl,v2,v3, status, b,src>> = 

f <<getbyte b (s PVT) , s src>> 

special.regf ilestate (sunload c) s <<dst ,din,vl,v2,v3,status,b,src>> = s 

special.regf iledelay (sread c) = #1 
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special.regf ilecomp (sread c) = C.special.regf ile c 
special.regf ileout (sread c) s <<dst , din, vl ,v2,v3, status, b,src>> = 

<<getbyte b (s PVT) , s dst>> 

special.regf ilestate (sread c) s <<dst , din, vl , v2 ,v3 , status ,b , src>> = 

vtrs.update s b vl v2 v3 status 

special.regf iledelay (sload c) = #1 

special.regf ilecomp (sload c) « C.special.regf ile c 

special.regf ileout (sload c) s <<dst , din, vl ,v2,v3, status ,b,src>> = 

<< (protected dst -> getbyte b (s PVT); getbyte b (update s dst din PVT)), 
bottom>> 

special. regfilestate (sload c) s <<dst , din, vl,v2,v3, status, b,src>> = 

((protected dst)->s; update s dst din) 


effect (A. special. regf ile a) = special. regf ileeff ect a 
delay (A. special. regf ile a) * special. regf iledelay a 
component (A. special. regf ile a) = special. regf ilecomp a 
special. regf ileeff ect a s c = 

S. special. regf ile <<special.regf ilestate a (getspecial.regf ilestate 

(current sc)) (special. regf ileinput s c) , 
special. regf ileout a (getspecial.regf ilestate 

(current s c)) (special.regf ileinput s c)>> 
getspecial.regf ilestate (S.special. regf ile <<x,y>>) * x 
getspecial.regf ileoutO (S. special.regf ile <<x , <<y0 ,yi>> >>) - yO 

getspecial.regf ileoutl (S. special.regf ile <<x,<<yO,yl>> >>) = yl 

is.proper.special. regf ile (S.special. regf ile <<x ,<<yO,yl>> >>) = 

(! yO) & (! yl) 


I I clio: sy is. proper. special. regf ile extend 


H *=*=*=*=*=*=*=*=*=*= *=*=*=*=*=*= *=*=*=*=*=*=*=*=*=* — 
The component class mux4 . 

mux4 : : type 

type mux4.1ocalstate = (data) 

LOCAL.STATE ::= S.mux4 !mux4 localstate |+ 

ACTION ::= A_mux4 !mux4_ACT T+ 
mux4.ACT : : = 
choose4.4 !mux4 
choose4.3 !raux4 
choose4.2 !mux4 
choose4_l !mux4 

mux4delay (choose4.4 c) = #0 

mux4comp (choose4.4 c) = C_mux4 c 

mux4out (choose4.4 c) <<inl , in2 , in3 , in4>> = in4 

mux4delay (choose4.3 c) = #0 

mux4comp (choose4.3 c) = C.mux4 c 

mux4out (choose4.3 c) <<inl ,in2,in3,in4>> = in3 

mux4delay (choose4.2 c) = #0 

mux4comp (choose4.2 c) = C_mux4 c 

mux4out (choose4.2 c) <<inl , in2 , in3 , in4>> = in2 

mux4delay (choose4.1 c) = #0 

mux4comp (choose4.1 c) = C.mux4 c 

mux4out (choose4_l c) <<inl,in2,in3,in4>> = ini 

effect (A.mux4 a) 3 mux4effect a 
delay (A_mux4 a) = mux4delay a 
component (A.mux4 a) * mux4comp a 

mux4effect a s c = S_mux4 (mux4out a (mux4input sc)) 
getmux4out0 (S_mux4 y) = y 
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is.proper.mux4 (S.mux4 y) = ! y 
I I clio: sy is_proper_mux4 extend 


H * = * = * = * = * = * = * = * = * = * = *=:* = * = * :=*=*=*=*=*=*=*=*=*=*=*=*-- 
The component class byte. counter ♦ 

byte. counter : : type 

type byte.counter.localstate = <<byte.num, (byte_nura)>> 

LOCAL. ST ATE S.byte. counter ! byte.counter.localstate | + 

ACTION A.byte.counter ! byte. counter. ACT |+ 
byte. counter. ACT : := 
reset. count ! byte. counter | 
inc.by t e ! byte. count er 

byte.counterdelay (reset.count c) = #0 
byte. countercomp (reset.count c) = C.byte. counter c 
byte.counterout (reset.count c) s in = BYTEO 
byte. counterstate (reset.count c) s in = BYTEO 

byte.counterdelay (inc.byte c) = #0 
byte. countercomp (inc.byte c) ■ C.byte. counter c 
byte.counterout (inc.byte c) s in = byte.inc s 
byte. counterstate (inc.byte c) s in = byte.inc s 

effect (A. byte. counter a) = byte.counteref f ect a 
delay (A.byte.counter a) = byte.counterdelay a 
component (A.byte.counter a) = byte. countercomp a 
byte. countereffect a s c = 

S.byte. counter <<byte. counterstate a (getbyte.counterstate 

(current sc)) (byte. counterinput s c 
byte.counterout a (getbyte. counterstate (current s 

(byte. counter input 

getbyte.counterstate (S.byte. counter <<x,y>>) = x 
getbyte. counteroutO (S.byte. counter <<x,y>>) = y 
is. proper. byte. counter (S.byte. counter <<x,y>>) = ! y 
I I clio: sy is.proper. byte. counter extend 


ACTION ::= | 

LOCAL. STATE ::= | 

COMP ::= 

C. latch Hatch I 
C.mux !mux I 
C.mem ! mem | 

C.regfile Iregfile I 
C. decoder ! decoder I 
C.alu !alu I 
C.inc line | 

C.matcher ! matcher I 
C.bitlatch fbitlatch I 
C.special.regf ile ! special. regfile | 

C.mux4 !mux4 I 

C.byte. counter ! byte.counter 
| | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 

I I Components (other than Controller and External) 

II and their connections. 

mem : : = MEM | + 
meminput s (C.mem MEM) = 

<<data.to.addr (getmux4out0 (current s (C.mux4 ADDR))), 
getrauxoutO (current s (C.mux DAT))>> 
mux : : = DAT | + 
muxinput s (C.mux DAT) - 


c)) 

s c)>> 
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<<getmemoutO (current s (C.raem MEM)), bottom, 
getregf ileoutO (current s (C.regfile REG))>> 
latch ::= IREG |+ 

latchinput s (C.latch IREG) = getmuxoutO (current s (C.mux DAT)) 

mux4 : : » ADDR I + 

mux4input s (C_mux4 ADDR) = 

<<getincoutO (current s (C.inc INC)), 

getlatchoutO (current s (C. latch HAND)), 
getlatchoutO (current s (C. latch IREG)), 
getlatchoutO (current s (C.latch RSLT))>> 
latch ::= NXPC |+ 

latchinput s (C.latch NXPC) 3 getmux4out0 (current s (C_mux4 ADDR)) 
inc INC | + 

incinput s (C_inc INC) = getlatchoutO (current s (C.latch NXPC)) 

latch HAND 1+ 

latchinput s (C.latch HAND) s 

reset. to. addr (external_input_reset (current. input s)) 
bitlatch : RESET |+ 

bitlatchinput s (C. bitlatch RESET) = external. input. reset (current. input s) 
latch INST 1+ 

latchinput s (C. latch INST) = getlatchoutO (current s (C.latch IREG)) 
latch RSLT 1+ 

latchinput s (C.latch RSLT) = getmuxoutO (current s (C.mux RS)) 

mux : : = RS I + 

muxinput s (C.mux RS) = 

<<bottom, getaluoutO (current s (C_alu ALU)), 
getlatchoutO (current s (C.latch S0UT))>> 
alu : := ALU |+ 
aluinput s (C.alu ALU) = 

<<getmuxoutO (current s (C.mux 0P1)), 
getmuxoutO (current s (C.mux 0P2))>> 
mux : : = OP 1 | + 
muxinput s (C.mux DPI) = 

<<getlatchoutO (current s (C.latch RSLT)), bottom, 
getregf ileoutO (current s (C.regfile REG))>> 
mux : : = 0P2 | + 
muxinput s (C.mux 0P2) = 

<<getdecoderout4 (current s (C. decoder DEC)), 
getregf ileoutl (current s (C.regfile REG)), 
getlatchoutO (current s (C.latch RSLT))>> 
regf ile : : = REG | + 
regfileinput s (C.regfile REG) = 

<<getdecoderout3 (current s (C. decoder DEC)), 

data.to.regaddr (getdecoderout4 (current s (C. decoder DEC))), 
data.to.regaddr (getlatchoutO (current s (C.latch DST))), 
getmuxoutO (current s (C.mux DVAL))>> 
latch : := DST 1+ , 

latchinput s (C.latch DST) * getdecoderout2 (current s (C.decoder DEC)) 
decoder DEC | + 

decoderinput s (C. decoder DEC) = getlatchoutO (current s (C.latch IREG)) 

matcher : := MTCH 1+ 
matcherinput s (C.matcher MTCH) = 

<<getdecoderout3 (current s (C.decoder DEC)), 
getdecoderout4 (current s (C.decoder DEC)), 
getlatchoutO (current s (C.latch DST))>> 
mux : := DVAL |+ 
muxinput s (C_mux DVAL) = 

<<getmuxoutO (current s (C.mux DAT)), 

getlatchoutO (current s (C.latch RSLT)), bottom>> 
special.regf ile SREG |+ 

special. regf ileinput s (C. special. regf ile SREG) = 

<<data.to.sregaddr (getlatchoutO (current s (C. latch DST))), 
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getlatchoutO (current s (C.latch RSLT)), 
external. input. vl (current. input s) , 
external. input. v2 (current. input s) , 
external. input _v3 (current. input s) , 
external. input. ST (current. input s), 
getbyte.counteroutO (current s (C.byte. counter BC)), 
regaddr.to.sregaddr (getdecoderout3 (current s (C.decoder DEC)))>> 
byte. counter ::= BC 1+ 

byte. counterinput s (C.byte.counter BC) “ bottom 

latch SOUT |+ 

latchinput s (C.latch SOUT) = 

getspecial.regf ileoutl (current s (C. special. regfile SREG)) 

latch ::= | 
mux : : = I 
mem : : = | 
regfile I 

decoder 1 

alu : : = j 
inc : I 
matcher ::= I 
bitlatch I 
special. regfile ::= I 
mux4 : : = I 
byte.counter ::= I 

| | * = * = *=* = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = *:=*=:* = * = * = * — 

I | Output function 

Out s = (getspecial.regf ileoutO (current s (C.special.regf ile SREG))) 

external. output. PVT xO = xO 

inlist. from <<s,p,in>> = input .phases. of in 

input. phases. of in = (map in input. phases) ++ 

input. phases. of (in. (#+ tnum.phases) ) 

| | * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = *=:* = * = * = * 

II The scheduler. 

scheduler WBA <<reset, inst, op, ind, eql, eq2, cc>> 0 = 

(DECODE) ++(SET_H)++ (UNLOAD. INC) ++ [A.byte.counter (inc.byte BC)] 
scheduler WBJ <<reset, inst, op, ind, eql, eq2, cc>> 0 = 

(DECODE) ++(SET.H)++ (UNLOAD. INC) ++ [A.byte.counter (inc.byte BC)] 
scheduler WBS <<reset, inst, op, ind, eql, eq2, cc>> 0 = 

(DECODE) ++ (SET.H) ++ [A.regf ile (d.unload REG), 

A.byte.counter (inc.byte BC)] 

scheduler WBL <<reset, inst, op, ind, eql, eq2, cc>> 0 = 

(DECODE) ++ (SET.H) ++ (READ. RESULT) ++ [A.byte.counter ( inc.byte BC) ] 
scheduler WBJ <<reset, inst, op, ind, eql, eq2, cc>> 1 = 

(JFETCH reset inst cc)++(GET_0PS ind)++(ALU0P op)++ 

[A.latch(set SOUT), A.special.regf ile(sread SREG)] 
scheduler WBJ <<reset, inst, op, ind, eql, eq2, cc>> 2 = 

[A.latch(set NXPC) , A.latch(set INST), A.byte.counter(inc.byte BC)] 
scheduler WBJ <<reset, inst, op, ind, eql, eq2, cc>> 3 = 

(PHASE3 op) ++ [Advance. controller] 

scheduler WBS <<reset, inst, op, ind, eql, eq2, cc>> 1 = 

(WRITE) ++ [A.special.regf ile (sread SREG)] 
scheduler WBA <<reset, inst, op, ind, eql, eq2, cc» 1 = 

(FETCH reset) ++(F0RWARD.0PS ind eql eq2 inst)++(ALUOP op)++ 

[A.latch(set SOUT), A.special.regf ile(sread SREG)] 
scheduler INTF <<reset, inst, op, ind, eql, eq2, cc» 1 = 

(READ.IREG)++ [A.special.regf ile (sread SREG)] 
scheduler INTC <<reset, inst, op, ind, eql, eq2, cc>> 1 = 
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(READ_INC)++(GET_OPS ind) ++ (ALUOP op)++[A_latch(set SOUT) , 


. . . „„ A_special_regf ileCsread SREG)] 

scheduler DF <<reset, inst, op, ind, eql, eq2, cc» 1 = 

(FETCH reset )++(GET_0PS ind)++(ALU0P op)++[A_latch(set SOUT), 
A_special_regf ileCsread SREG)] 
scheduler HBL <<reset, inst, op, ind, eql, eq2, cc>> 1 = 

. . , [A.special.regf ile ( sread SREG)] 

scheduler INTF <<reset, inst, op, ind, eql, eq2, cc» 2 * 

[A_latch(set NXPC), A_byte_counter(inc_byte BC)] 
scheduler INTF <<reset, inst, op, ind, eql, eq2, cc» 3 = 

[A.mux (choose 1 DAT), A_latch(set IREG) , 

A_special_regf ileCsread SREG)] ++ [Advance.controller] 


scheduler INTF <<reset, inst, op, ind, eql, eq2, cc» 0 = 

, , [A_byte_counter(inc_byte BC)] 

scheduler INTC <<reset, inst, op, ind, eql, eq2, cc» 3 = 

(PHASE3 op) ++ [Advance.controller] 

scheduler DFI <<reset, inst, op, ind, eql, eq2, cc» 3 = 

(PHASE3 op)++[Advance_controller] 

scheduler INTC <<reset, inst, op, ind, eql, eq2, cc>> 0 = 

(DECODE) ++(SET_H)++(UNLOAD_INC)++[A_byte_counter(inc byte BC)] 
scheduler INTC «reset, inst, op, ind, eql, eq2, cc» 2 = 

[A_latch(set NXPC), A_latch(set INST), A_byte_counter(inc_byte BC)] 
scheduler DFI <<reset, inst, op, ind, eql, eq2, cc>> 2 = 

[A_latch(set NXPC), A_latch(set INST), A_byte_counter(inc byte BC)] 
scheduler DF <<reset, inst, op, ind, eql, eq2, cc>> 3 = 

(PHASE3 op)++ [Advance.controller] 

scheduler DF <<reset, inst, op, ind, eql, eq2, cc» 0 = 

(DECODE) ++ (SET_H) ++ (UNLOAD. INC) ++ [A_byte_counter ( inc_byt e BC)] 
scheduler WBA <<reset, inst, op, ind, eql, eq2, cc» 2 = 

[A_latch(set NXPC), A_latch(set INST)] ++(LOAD_RESULT inst)++ 

[A_byte_counter(inc_byte BC)] 
scheduler WBA <<reset, inst, op, ind, eql, eq2, cc>> 3 = 

(PHASE3 op)++ [Advance.controller] 

scheduler WBL <<reset, inst, op, ind, eql, eq2, cc>> 2 = 

(L0AD_DATA)++ [A_latch(set INST), A_byte_counter(inc_byte BC)] 
scheduler WBL <<reset, inst, op, ind, eql, eq2, cc» 3 = 

[A.special.regf ile (sread SREG)] ++ [Advance.controller] 


scheduler DF <<reset, inst, op, ind, eql, eq2, cc» 2 = 

[A_latch(set NXPC), A_latch(set INST), A_byte_counter(inc_byte BC)] 
scheduler WBS «reset, inst, op, ind, eql, eq2, cc» 2 = 

[A_latch(set INST) , A_byte_counter(inc_byte BC)] 
scheduler WBS <<reset, inst, op, ind, eql, eq2, cc>> 3 = 

[A_special_regf ile (sread SREG)] ++ [Advance.controller] 

DECODE = [A_decoder(decode DEC), A.matcher (match MTCH)] 

SET.H = [A.latch(set HAND) , A_bitlatch(setb RESET)] 

UNLOAD_INC = [A_regf ile (unload REG), A_special_regf ile(sunload SREG), 

A_inc( increment INC)] 

scheduler DFI <<reset, inst, op, ind, eql, eq2, cc>> 0 = 

(DECODE) ++ (UNLOAD. INC) ++ [A_byte_counter ( inc.by te BC) ] 
READ.RESULT = [A_mux4(choose4_4 ADDR) , A_mem(read MEM)] 

GET. OPS ind = [A_mux(choose3 0Pl)]++((ind)->[A_mux(choose2 0P2)] ; 

[A_mux(choosel 0P2)]) 

scheduler DFI <<reset, inst, op, ind, eql, eq2, cc>> 1 * 

(READ.HAND) ++ (GET.OPS ind)++(ALU0P op)++ 

[A_latch(8et SOUT), A.special.regf ile (sread SREG)] 
ALUOP op = ((op=CNE)->[A_alu(compare ALU)] ; [A_alu(add ALU)]) 
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READ.HAND = [A_mux4(choose4_2 ADDR) , A.mem(read MEM)] ■ 

READ.INC = [A_mux4(choose4.1 ADDR), A.mem(read MEM)] 

FETCH reset = ( (reset) -> (READ.HAND) ; (READ.INC) ) 

READ.IREG = [A.mux4(choose4_3 ADDR), A.mem(read MEM)] 

WRITE = [A.mux4(choose4.4 ADDR), A.mux(choose3 DAT), A.mem(vrite MEM)] 
FORWARD. OPS ind eql eq2 inst = 

((eql k (inst SADD) ) -> [A.mux (choose 1 OP 1 )]; [A.mux (choose3 0P1)])++ 
((ind)->((eq2 & (inst ~= SADD))-> [A.mux (choose3 0P2)] ; 

[A.mux (choose2 0P2)] ) ; [A.mux (choosel 0P2)]) 

JFETCH reset inst cc = 

( (reset ) ->(READ.HAND) ; ( ( (inst= JMP)xor ( (inst=JIT)ftcc)xor ( (inst=JIF)& 

(~cc)))->(READ_RESULT) ; (READ.INC) ) ) 

LOAD.DATA * [A.mux(choosel DAT), A.mux(choosel DVAL), A.regf ile(load REG)] 

LOAD. RESULT inst * [A.mux (choose2 DVAL)]++ 

((inst=SADD;-> [A. special. regf ile(sload SREG)] ; [A.regf ile(load REG)]) 
PHASE3 op * 

[A.mux(choosel DAT), A.latch(set IREG) , 

A.latch(set DST)] ++(SET.RESULT op)++ [A.special.regf ile(sread SREG)] 

SET. RESULT op = ((op=M0VE)-> [A.mux(choose3 RS)] ; [A_mux(choose2 RS)])++ 

[A_latch(set RSLT)] 

scheduler s in 3 = [Advance. controller] 
scheduler s in t = [] 

| | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*-“ 

II Proper state predicates, 
is.proper.state 's' :== 

' is.proper.contr (current s Controller)* = 'True' 
k ' is.proper.mem (current s (C.mem MEM))' * 'True' 

k ' is.proper.mux (current s (C.mux DAT))' = 'True' 

k ' is.proper. latch (current s (C. latch IREG))' * 'True' 
k 'is.proper.mux4 (current s (C_mux4 ADDR))' = 'True' 
k ' is. proper. latch (current s (C. latch NXPC))' = 'True' 
k ' is.proper.inc (current s (C.inc INC))' = 'True' 
k ' is. proper. latch (current s (C.latch HAND))' = 'True' 
k ' is.proper.bitlatch (current s (C.bitlatch RESET))' = 'True' 
k 'is.proper.latch (current s (C. latch INST))' = 'True' 
k 'is.proper.latch (current s (C.latch RSLT))' = 'True' 
k 'is.proper.mux (current s (C.mux RS))' = 'True' 

k ' is.proper.alu (current s (C.alu ALU))' = 'True' 

k 'is.proper.mux (current s (C.mux 0P1))' = 'True' 

k 'is.proper.mux (current s (C.mux 0P2))' = 'True' 

k ' is.proper.regf ile (current s (C.regfile REG))' = 'True' 
k 'is.proper.latch (current s (C.latch DST))' = 'True' 
k ‘ is.proper. decoder (current s (C.decoder DEC))' = 'True' 
k ‘ is.proper.matcher (current s (C.matcher MTCH))' = 'True' 
k 'is.proper.mux (current s (C.mux DVAL))' = 'True' 
k ' is.proper.special. regf ile (current s 

(C.special.regf ile SREG) ) ' = 'True' 
k ‘ is.proper. byte. counter (current s (C.byte. counter BC)) ' = 'True' 
k ‘is.proper.latch (current s (C.latch SOUT))' = 'True' 

Proper. state 's' := 

'pending. changes s ' = '[]' 
k is.proper.state 's' 

k Goodmem 'getmemstate (current s (C.mem MEM))' 

f getmemoutO(current s (C.mem MEM))' 
k Goodlatch 'getlatchst ate (current s (C.latch IREG))' 

'getlatchoutO (current s (C.latch IREG))' 
k Goodlatch 'getlatchstate(current s (C.latch NXPC))' 

'getlatchoutO (current s (C.latch NXPC))' 


41 


ft Goodlatch *getlatchstate(current s (C.latch HAND))* 

* get latchoutO (current s (C.latch HAND)) * 
ft Goodbitlatch *getbitlatchstate(current s (C.bitlatch RESET))* 

*getbitlatchoutO( current s (C.bitlatch RESET))* 
ft Goodlatch f getlatchstate(current s (C.latch INST))** 

*getlatchoutO(current s (C.latch INST))* 
ft Goodlatch *getlatchstate(current s (C.latch RSLT) ) * 

* get 1 at choutO (current s (C.latch RSLT))* 
ft Goodregfile *getregf ilestate(current s (C.regfile REG))* 

* get regfileoutO (current s (C.regfile REG))* 
*getregf ileoutl (current s (C.regfile REG))* 
*getregf ileout2 (current s (C.regfile REG))* 
ft Goodlatch ‘getlatchst ate (current s (C.latch DST))* 

*getlatchoutO(current s (C.latch DST))* 
ft Goodlatch *getlatchstate(current s (C.latch SOUT))* 

*getlat choutO (current s (C.latch SOUT))* 
ft Proper.External *s* 

Mclio: symbol Proper.state extend.auto 

I I clio: symbol pending. changes extend.auto 

| | * = * = * = * = * = *=:* = * = * = * = * = *=:* = * = * = * = * = *:=*:=* = * = *:=* = * = * = * 

II For export to other modules, we define functions 

II access the internal state of each component that has one. 
get_MEM_state s = getmemstate (current s (C.raem MEM)) 
get. IREG. state s = getlatchstate (current s (C.latch IREG)) 

get.NXPC. state s = getlatchstate (current s (C.latch NXPC)) 

get.HAND.state s = getlatchstate (current s (C.latch HAND)) 

get. RESET. state s = getbitlatchstate (current s (C.bitlatch RESET)) 
get. INST. state s = getlatchstate (current s (C.latch INST)) 

get. RSLT. state s = getlatchstate (current s (C. latch RSLT)) 

get.REG. state s = getregf ilestate (current s (C.regfile REG)) 
get.DST.state s = getlatchstate (current s (C.latch DST)) 
get.MTCH.state s = getmatcherstate (current s (C.matcher MTCH)) 
get. SREG. state s = 

getspecial.regf ilestate (current s (C. special. regfile SREG)) 
get. BC. state s = getbyte. counterstate (current s (C.byte. counter BC)) 
get.SOUT.state s = getlatchstate (current s (C.latch SOUT)) 

| | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=:*=* — 

II Auxiliary definitions. 

ABS s = <<get .MEM. state s, get.NXPC.state s, 
get.REG.state s, get. INST. state s, 
get. SREG. state s, time.abs (inlist. from s)>> 

time.abs (<<r0,vl0,v20,v30,st0>> : 

«rl , vll ,v21 , v31 ,stl» :<<r3 , vl3 ,v23, v33 ,st3» : rest) = 

<<r0, [vll,vl3] , [v21,v23] , [v31,v33] , [stl,st3]»: (time.abs rest) 

vtrs.update s b vl v2 v3 st = 

update (update (update (update s VT1 (set.byte b (s VT1) vl)) 

VT2 (set.byte b (s VT2) v2)) 

VT3 (set.byte b (s VT3) v3)) 

STATUS (set.byte b (s STATUS) st) 


mux4input = bottom 

I | The following should be generated by the tool 
path.taken s {controllerstate s = WBA> = 
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(external_input_reset(current_input s))-> ACTPATH1 ; ACTPATHO 
path.taken s {controllerstate s = WBS} = 

(external_input_reset(current_input s))-> ACTPATH4 
(external.input.reset (nth.input (#4) s))->ACTPATH3;ACTPATH2 
path.taken s {controllerstate s = WBL} = 

(external_input_reset(current_input s))-> ACTPATH7 
(external_input_reset (nth.input (#4) s))->ACTPATH6;ACTPATH5 
path.taken s {controllerstate s = WBJ} = 

(external.input.reset (current.input s))-> ACTPATH9;ACTPATH8 


| | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 
II The outpoints and loop conditions. 

CUTPOINT ::= ACT 

at.ACT s = ACT_ state (controllerstate s) 


ACT.state WBJ = True 
ACT. st ate WBA = True 
ACT.state WBS = True 
ACT.state WBL = True 
ACT.state x = False 


PATH : : = ACTPATHO I + 
path.start ACTPATHO = ACT 
path. end ACTPATHO = ACT 
path.length ACTPATHO = #1 


path.condition ‘ACTPATHO' ‘s 
TRUE 

& ‘controllerstate s‘=‘WBA 
& ‘(resetof (controllerinput 


(iterate Execute (#1) 


s)))‘=‘False‘ 


PATH ::= ACTPATH1 |+ 
path start ACTPATH 1 = ACT 
path.end ACTPATH 1 = ACT 
path.length ACTPATH 1 = #3 


path condition ‘ACTPATH1' ‘s' 
TRUE , , 

‘controllerstate s = WBA 


6L LUill/iUJ-iClO OCLOC3 O * \\\f < 'T f 

& ‘(resetof (controllerinput (iterate Execute (#1) s;)) = True 


& ‘controllerstate (iterate Execute 
& ‘controllerstate (iterate Execute 


Hi] 


=‘INTF‘ 
‘ INTC‘ 


PATH ::= ACTPATH2 |+ 
path.start ACTPATH2 = ACT 
path.end ACTPATH2 = ACT 
path.length ACTPATH2 = #2 


path.condition ‘ACTPATH2 4 ‘s‘ :»■ 

TRUE 

a ‘controllerstate s‘=‘WBS , 

a ‘(resetof (controllerinput (iterate Execute (#1) s))) - False 

a ‘controllerstate (iterate Execute (#1) s)‘=‘DF‘ , , 

a ‘(resetof (controllerinput (iterate Execute (#2) s))) - False 


PATH ::= ACTPATH3 |+ 
path start ACTPATH3 = ACT 
path.end ACTPATH3 = ACT 
path.length ACTPATH3 = #4 


path.condition ‘ACTPATH3' ‘s‘ :== 

TRUE 1 

a ‘controllerstate s‘=‘WBS‘ , . 

a ‘ (resetof (controllerinput (iterate Execute 


s)))‘=‘False‘ 
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ft * controllerstate (iterate Execute (#1) s)‘=‘DF‘ 

& (resetof (controllerinput (iterate Execute (#2) s )))‘=‘True‘ 
ft ‘controllerstate (iterate Execute (#2) s)‘=‘INTF‘ 
ft controllerstate (iterate Execute (#3) s)‘=‘INTC‘ 

PATH ::= ACTPATH4 |+ 
path.start ACTPATH4 = ACT 
path, end ACTPATH4 = ACT 
path, length ACTPATH4 = #4 

path.condition ‘ACTPATH4' ‘s‘ :== 

TRUE 

ft ‘controllerstate s‘=‘WBS‘ 

ft (resetof (controllerinput (iterate Execute (#1) s)))‘=‘True‘ 
ft ‘controllerstate (iterate Execute (#i) s)‘=‘DFI‘ 
ft ‘controllerstate (iterate Execute (#2) s)‘=‘INTF‘ 
ft controllerstate (iterate Execute (#3) s;‘=‘INTC‘ 

PATH ACTPATHS |+ 
path_start ACTPATH5 = ACT 
path.end ACTPATH5 * ACT 
path.length ACTPATH5 = #2 

path.condition ‘ACTPATH5' ‘s‘ :== 

TRUE 

ft ‘controllerstate s‘=‘WBL‘ 

ft ‘(resetof (controllerinput (iterate Execute (#1) s))) ‘=‘False‘ 

ft ‘controllerstate (iterate Execute (#1) s)‘=‘DF‘ 

ft (resetof (controllerinput (iterate Execute (#2) s))) ‘='False‘ 

PATH ::= ACTPATH6 |+ 
path.start ACTPATH6 = ACT 
path.end ACTPATH6 = ACT 
path.length ACTPATH6 = #4 

path.condition ‘ACTPATH6* ‘s‘ :== 

TRUE 

ft ‘controllerstate s‘=‘WBL‘ 

ft ‘(resetof (controllerinput (iterate Execute (#1) s))) ‘=‘False‘ 
ft ‘controllerstate (iterate Execute (#1) s)‘=‘DF‘ 
ft (resetof (controllerinput (iterate Execute (#2) s)))‘=‘True‘ 
ft ‘controllerstate (iterate Execute (#2) s)‘=‘INTF‘ 
ft controllerstate (iterate Execute (#3) s)‘=‘INTC‘ 

PATH ::= ACTPATH7 |+ 
path.start ACTPATH7 = ACT 
path.end ACTPATH7 = ACT 
path.length ACTPATH7 = #4 

path.condition ‘ACTPATH7' ‘s‘ :== 

TRUE 

ft ‘controllerstate s‘=‘WBL‘ 

ft ‘(resetof (controllerinput (iterate Execute (#1) s)))‘=‘True‘ 
ft ‘controllerstate (iterate Execute (#1) s)‘=‘DFI‘ 
ft ‘controllerstate (iterate Execute (#2) s) ‘=‘ IWTF ‘ 
ft ‘controllerstate (iterate Execute (#3) s)‘=*INTC‘ 

PATH ::= ACTPATH8 |+ 
path.start ACTPATH8 = ACT 
path.end ACTPATH8 * ACT 
path.length ACTPATH8 * #1 

path.condition ‘ ACTPATH8 ‘ ‘s‘ :== 

TRUE 

ft ‘controllerstate s‘=‘WBJ‘ 

ft ‘(resetof (controllerinput (iterate Execute (#1) s))) ‘=‘False‘ 

PATH ::= ACTPATH9 |+ 
path.start ACTPATH9 = ACT 
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path.end ACTPATH9 = ACT 
path.length ACTPATH9 = #3 


path.condition , ACTPATH9‘ ‘s‘ :-= 

TRUE , , 

& * controller s"t sit e s ~ WBJ _ , sm 4 \ 

& ‘(resetof (controllennput (iterate Execute (#1) s);) - True 


& * controllerstate 
& * controllerstate 


(iterate Execute 
(iterate Execute 


rn :)X 


‘INTF* 
' INTC‘ 


ACT.Invariant ‘s‘ :== ____ . , 

‘prefetch(ABS s) ‘= get.IREG.state s 

ft ‘OP.switch (current_opclass(ABS s))‘® ‘controllerstate s 
ft ‘current.dst (ABS s) ‘=‘data_to_regaddr(get_DST_state s) ‘ 
ft ‘ current_result(ABS s) ‘ = ‘get_RSLT_state s‘ 

Invariant ‘ACT‘ ‘s‘ := ACT. Invariant ‘s‘ 

Invariant ‘p‘ ‘s‘ := TRUE 
PATH ::= I 

ACT. ACT. Advance .Relation *sl‘ ‘s2‘ :== ‘ABS s2‘=‘Step (ABS sl)‘ 

Advance. Relation ‘ACT 1 ‘ACT* ‘sl‘ ‘s2‘ := ACT.ACT.Advance.Relation ‘sl‘ [ s2‘ 

Advance.Relat ion ‘pi* *p2* ‘si* *s2* := TRUE 
path_precond ‘path* *s* := 

* !path*=*True* 

& path.condition ‘path* *s* 

& Invariant ‘path.start path* ‘s* 

| | clio: sy path.precond extend 
llclio: sy Invariant extend 

path.postcond ‘path* ‘s* := . f 

Invariant ‘path.end path* ‘iterate Execute (path.length path/ s 
ft Advance.Relation ‘path.start path' ‘path.end path 

‘s' ‘iterate Execute (path.length path) s 

VC ‘path' ‘s‘:= , , t 

path.precond ‘path' ‘s‘ => path.postcond path s 

VC.ok ‘s‘ :== (path) VC ‘path* ‘s‘ 

VC.ok.lemma :== Proper.state ‘s‘ => VC.ok ‘s 
Timing.ok * s ‘ : == 

Proper.state ‘Execute s‘ 

T iraing.ok.lemma :== 

Timing.ok ‘s‘, Proper.state ‘s‘ 

Timing.ok.case ‘s‘:== 

Timing.ok ‘s‘, ‘controllerstate s = c 

Timing.ok.by. cases :== Proper.state ‘s‘ => Timing.ok.case ‘s‘ 


4.3 Common Part 

This section contains the definitions of the types and functions that are used in the abstract 
as well as the design specifications of FtCayuga. 

FROM CommonTheorySec IMPORT data, byte, addr , regaddr , sregaddr , opcode. opclass. 
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inc.data, deer. data, add.data, sub.data, cne.data, 
data.to.addr , data.to.regaddr , 
data.to.sregaddr, regaddr.to.sregaddr , DATUM 
opcodeof , indirect , srclof , src2of , dstof , opclassof , 

RO , R1 , R2 , R3 , R4 , nodata , dataerror , protected 
JIF , JIT , JMP . ADD , LD , ST f CNE ' MOVE , SADD 
update, LSB , ACLASS , SCLASS , LCL ASS , JCLASS , noop , 
error, JUMP.ERROR, STORE.ERROR, NO.ERROR, addr.O 

I I The abstract state consists of the memory state, the NXPC, the state of 

II the registers, the current instruction, and an input stream, 
type ABS.EXTSTATE = <<B00L, [byte], [byte], [byte], [byte]>> 

Mtype ABS. STATE = <<addr->data, data, regaddr->data, data, 

sregaddr- > dat a , [EXTSTATE] >> 

mem <<m, p, r, i, sr,in>> = m 
nxpc <<m, p, r, i, sr,in>> = p 
reg «m, p, r, i, sr,in>> = r 
instrn <<m, p, r, i, sr,in>> = i 
ins <<m, p, r, i, sr,in» = in 
sreg <<m, p, r, i, sr,in» = sr 

II Step has type ABS. STATE->ABS. STATE . 

Step s = «newmem s, newnxpc s , newreg s, newinstr s , newsreg s,newins s>> 


newmem s = store.effect s , current. opclass s = SCLASS 
mem s 

newreg s = alu. effect s, current. opclass s = ACLASS 
load.effect s, current.opclass s = LCLASS 
reg s 

II The new current instruction is usually fetched as follows: 
prefetch s = mem s (data. to. addr (nxpc s)) 

II But when there is an interrupt the instruction isn’t prefetched. 

II Right now, there’s only one interrupt, so the handler is at whatever 
II is in memory at addr.O. 
handler s = newmem s addr.O 

handler. fetch s = newmem s (data.to.addr (handler s)) 

newinstr s = handler. fetch s , interrupt s 
prefetch s 

i I The new next pc. 

newnxpc s = inc.data(handler s) , interrupt s 

jump.effect s, current.opclass s = JCLASS 
inc.data(nxpc s) 

H We must define at the abstract level the function that tells us 
how many inputs to take from the input stream. 

load.or. store x * (x=LCLASS)xor(x=SCLASS) 

interruptof <<int ,vl ,v2,v3,st» = int 

interrupt s { load.or.store (opclassof (opcodeof (instrn s)))} 

= (interruptof (hd (ins s)) | interruptof (hd(tl (ins s)))) 
interrupt s - interruptof (hd (ins s)) 

num.cycles s { load.or.store (opclassof (opcodeof (instrn s)))> 

* (interrupt s) ->#4;#2 
num.cycles s « (interrupt s) ->#3;#1 
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newins s = remove (num.cycles s) (ins s) 
remove Zero 1=1 

remove (Succ n) 1 = remove n (tl 1) 


| I The current instruction is decoded: 

current.op s = opcodeof (instrn s) 

current .opclass s = opclassof (current.op s) 

current. ind s * indirect (instrn s) 

current. srcl s = srclof (instrn s) 

current. src2 s = src2of (instrn s) 

current. dst s * data.to.regaddr (dstof (instrn s)) 

current. sdst s = data.to.sregaddr (dstof (instrn s)) 

II Operandl is the contents of register srcl. 
current. operandl s ■ reg s (current. srcl s) 

I | If the addressing mode is indirect then operand2 is the contents of 
II the register src2, otherwise it’s src2 itself. 

current_operand2 s = reg s (data.to.regaddr (current. src2 s)), current.ind s 

current. src2 s 

I | The alu operation is usually add: 
current. aluop s = which. op (current.op s) 
which. op CNE = cne.data 
which.op x = add. data 

I | The current result is computed by appying the current alu operation 
jj to the current operands, unless the opcode is MOVE, in which case 
jj it’s the contents of special-register srcl, 
current. result s {current.op s = MOVE} = 

sreg s (regaddr.to_sregaddr(current_srcl s)) 
current. result s = current. aluop s (current. operandl s) (current_operand2 s) 

alu. effect s = update (reg s) (current. dst s) (current.result s) 

load.effect s = update (reg s) (current. dst s) 

(mem s (dat a. to. addr (current.result s))) 

store. effect s = update (mem s) (dat a. to.addr (current.result s)) 

(reg s (current.dst s)) 

jump. effect s = current.result s, jump.ok s 
inc.data(nxpc s) 

jump.ok s = ((current.op s)=JMP) 

xor (((current.op s)=JIT) & (LSB(reg s (current.dst s)))) 
xor (((current.op s)=JIF) k ~(LSB(reg s (current.dst s)))) 

| | A Special-Add instruction (SADD) stores its result in the 
|| special register file, unless the dst is write-protected, 

II in which case it has no effect. 

newsreg s = update (sreg s) (current. sdst s) (current.result s) 

, (current.op s = SADD) k ~(protected( (current. sdst s))) 

sreg s 

| | Specification of power-up (which includes a reset) 
reset. addr s = mem s addr.O 

reset. inst s = mem s (data.to.addr (reset.addr s); 
abs. reset s = <<mem s, inc.data (reset.addr s), 

reg s, reset.inst s, sreg s, remove (#3) f (ins s) >> 

H clio: mod * off 
clio: add * 
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I I clio : mod * on 


5 IcNet Specification 


5.1 Abstract Specification 


FROM CoraraonTheorySec IMPORT Word, DATUM, PVT, VT1,VT2,VT3, 

BYTEO, BYTE1, BYTE2 , BYTE3, getbyte 

FROM VoterDesignSec IMPORT XNG11, XNG21 , XNG31, CMPP, LDP1, LDP2, 0UT1 
FROM Voter AbstractSec IMPORT voterstep, cross.out, control, go_of, maj.of, 

rowlof, array of, 

Proper. voterstate , next.voterstate , 
compute.majority , to.proc, get_maj_val, maj.of 
FROM FtCayugaAbstractSec IMPORT FtCayugaStep, vstartout, prvtout, bytecount, 

Proper.ftcayuga, sregof, newPVT, newPVT2 
FROM IcNetDesignSec IMPORT get_Vl_state, get_V2_state, get_V3_state, 

get_V4_state, get_FTCl_state, get_FTC2_state , 
get_FTC3_state , get_FTC4_state , byzstep, 
byz.crossl, byz_cross2, byz_cross3, byz_to_proc, 
Execute, Proper.state, inlist.from, is_proper_ext 
INDEX, ONE, TWO, THREE, FOUR, faulty, make_ftc_in, 
byzgo, byzpvti , byzpvt2, byzpvt3, byzCayugaStep 

I 1****** + ****************************************************************** 

I I Some generic functions we need. 

Iterate Zero f x = x 

Iterate (Succ n) f x = Iterate n f (f x) 

select Zero (a:x) = a 

select (Succ n) (a:x) = select n x 

| | ****** *************>M*****>M***+************************************* ****** 

II The successor relation on the indicies. 
succ ONE = TWO 

succ TWO = THREE 
succ THREE = FOUR 
succ FOUR - ONE 

succ2 = succ. succ 
succ3 = succ2.succ 

[ \+*+*+++++++++********** Fault modelling ******************************* 

1 1 Everything is defined in terms of the parameter "faulty" which is a 
jj predicate on the type INDEX which tells us which fault regions are faulty. 

II The possible faults are listed in the following enumerated type: 

FAULT ::= Region ! INDEX I NO.FAULT 

|| To model the fact that we are assuming at most one fault, we can suppose 
II that there is a constant, "the.fault" of type FAULT, and then define the 
II predicate "faulty" in terms of that constant. 

the.fault : : FAULT 
AXIOM ‘ !the_fault‘*‘True‘ 

, faulty index = (the.fault * (Region index)) 

| | *********************** Abstraction function ******************************* 
I I This abstraction function lets us view the state of the ic-net 
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| | as a function from indicies to ftcayuga states , a function from mdicies 
I I to voter states , and an input stream. 

|| We wouldn’t need this step if the spectool supported indexed components. 
IcNetABS s = <<FTCStates s, VoterStates s, inlist.from s>> 


FTCStates s ONE = get_FTCl_state s 
FTCStates s TWO = get_FTC2_state s 
FTCStates s THREE = get_FTC3_state s 
FTCStates s FOUR ■ get_FTC4_state s 

VoterStates s ONE = get.Vl.state s 
VoterStates s TWO = get_V2_state s 
VoterStates s THREE = get_V3_state s 
VoterStates s FOUR = get_V4_state s 

| |*********************** Step function for IcNet ***************************** 
| | The abstract state change (behavior) of the voter-net . _ 

II What happens at each index depends on whether that index is faulty. 

IcNetStep <<ftc,vtr, int:rest» = 

where newftc index = fault.ftc.step index ftc (ftcmput index ) 
newvtr index = f ault.vtr.step index vtr (vtrinput index ) 
f tcinput index = make.ftc.in (select_int index int) 

(fault_to_proc index ftc vtr) 
vtrinput index = Voterinput index ftc vtr 


fault_ftc_step index s in = 

FtCayugaStep (s index) in , (faulty index) 
byzCayugaStep (s index) in 

f ault.vtr.step index s = voterstep (s index) , '(faulty index) 

byzstep (s index) 

select.int ONE <<a,b,c,d>> = a 
select.int TWO «a,b,c,d» = b 
select.int THREE «a,b,c,d» = c 
select.int FOUR <<a,b,c,d» = d 


fault.to.proc index ftc vtr = 

to.proc (vtr index) , '(faulty index) 
byz.to.proc (vtr index) 

Voterinput index ftc vtr = 

<<f ault.f rom.proc index ftc, 

f ault.cross THREE (succ3 index) vtr , 
faultlcross TWO (succ2 index) vtr, 
f ault.cross ONE (succ index) vtr>> 

|| The function "f ault.f rom.proc" gives the input tuple of values coming 
1 1 from the processors to the voter whose index is "index 1 . 


f ault.from.proc index ftc * 

«f ault.vstart index ftc, . J .. . . , ^ 

fault _prvt (whichprvt index (succ index)) (succ index; ftc , 
fault.prvt (whichprvt index (succ2 index)) (succ2 index) ftc, 
fault.prvt (whichprvt index (succ3 index)) (succ3 index) ftc> 


|| The expression "whichprvt i j" tells us which replica of the private value 
|| of processor j is connected to voter i. This is only used when processor j 
|| is faulty, and tells us which of byzpvtl, byzpvt2. and byzpvt3 was used. 

__v 2 . *. niir? l — l 

* l 
2 


whichprvt ONE i = 
whichprvt TWO ONE 
whichprvt TWO i 


whichprvt THREE FOUR - 3 
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whichprvt THREE i = 2 
whichprvt FOUR i = 3 

fault. vstart i ftc = vstartout (ftc i) , "(faulty i) 

byzgo (ftc i) 

fault. prvt il i2 s = prvtout (s i2) , "(faulty i2) 

byz.pvt ii (s i2) 

fault. cross il i2 s ■ cross. out (s i2) , "(faulty i2) 

byz. cross il (s i2) 

byz.cross ONE = byz.cross 1 
byz.cross TWO » byz.cross2 
byz.cross THREE = byz.cross3 

byz.pvt 1 = byzpvtl 
byz.pvt 2 = byzpvt2 
byz.pvt 3 = byzpvt3 

IcNetStepLemma := 

*IcNetABS (Execute s) * = * IcNetStep (IcNetABS s) * , Proper.state *s* 

I I What we have done with this abstraction step is to organize the 

I I state of the ic-net as a function on indicies, 

II and to hide the cross connections. 

***************************************** + + + + + + + + % + + + 

Here is the translation of the Proper. state predicate for the ic-net 
to a predicate on abstract ic-net, 

Proper.inlist *1* := * is.proper.ext (select n l)‘=‘True‘, ‘!n‘='True‘ 

Proper.icnet f <<ftc,vtr,inlist>> f := Proper.voterstate f vtr ONE* 

k Proper.voterstate *vtr TWO* 

& Proper.voterstate f vtr THREE* 
k Proper. vot erst ate *vtr FOUR* 
k Proper.ftcayuga 'ftc ONE* 
k Proper.ftcayuga *ftc TWO* 
k Proper.ftcayuga *ftc THREE* 
k Proper.ftcayuga *ftc FOUR* 
k Proper.inlist * inlist* 

I I We then prove : 

ProperlcNetLemma : = 

Proper. state *s* => Proper. icnet *IcNetABS s* 


5.2 Design Specification 

FROM CommonTheorySec IMPORT byte 

FROM VoterAbstractSec IMPORT voterstep, cross.out, to.proc, VOTERSTATE 

Proper. voterstate 

FROM FtCayugaAbstractSec IMPORT FTCAYUGASTATE.FtCayugaStep, prvtout, 

vstartout, Proper.ftcayuga, statusword 

Generated by the spectool 
I clio: symbol Execute never 
clio: mod * off 
cliC: add * 
clio: mod * on 

*=*=*=*=*=*=*=*=*=*=*=*=*=*=:*=*=*=*=*=*=*=*=*=*=*=* 
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| | The Controller. 

COMP ::= Controller |+ 

ACTION Advance.controller 1+ 

CONTROLSTATE : : type 

LOCAL.STATE ::= S.Controller ! CONTROLSTATE |+ 
getcontrolstate (S.Controller x) = x 
is.proper.contr (S.Controller x) = !x 
I I clio: sy is. proper. contr extend 

controllerstate s = getcontrolstate (current s Controller) 

effect Advance. controller s c = NN 

S.Controller (nextstate (controllerstate s) (controllerinput s)) 

delay Advance.controller * #0 
component Advance.controller = Controller 

controllerinput s = bottom 

| | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*-- 

I | The Control states and the next. state function. 

CONTROLSTATE : GO |+ 
nextstate GO in = GO 
CONTROLSTATE I 

| j *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*-- 

|| The component External. 

type EXTSTATE = <<B00L, BOOL, BOOL, B00L>> 

external.input.int 1 <<x0, xl, x2, x3>> = xO 

external.input.int2 <<x0, xl, x2, x3>> “ xl 

external. input_int3 <<x0, xl, x2, x3>> = x2 

external. input_int4 <<x0, xl, x2, x3>> = x3 

is.proper.ext <<x0, xl, x2, x3>> * (!x0) & ( ! x 1 ) & (!x2) k (!x3) 

II clio: sy is.proper.ext extend 

current.input <<s,p,in>> = in Zero 
nth. input n <<s,p,in>> = in n 
I I clio: sy Proper. External extend 
Proper.External < <<s,p,in>> < : 55 
(t::NAT) 1 is.proper.ext (in t) f=< True f 
| | * = * = * = *:=* = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * = * 

|| There are 2 clock phases per cycle. 

num. phases = 2 
input. phases - [# 1] 

output .phase 0 = True 
output. phase n = False 

| | * = * = * = * = * = * = * = * = * = * = *:=*:=* = * = * = * = *=:*:=* = * = * = * = * = * = * = * 

|| The generic Execute function. 

type SYSTEM.STATE = C0MP->L0CAL_STATE 

type INPUT. STREAM = NAT->EXTSTATE 

type CHANGE = «C0MP,NAT,L0CAL.STATE» 

type STATE = « SYSTEM.STATE, [CHANGE] , INPUT.STREAM» 

pending. changes <<s,p,in>> = p 

current <<s,p,in>> c » bottom, pending p c 

s c , 


pending [] c = False 

pending (<<c ,t , v>> :rest) c {t > Zero} = True 
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pending (<<c2 »t , v>> rrest) c = pending rest c 
Execute s = do. phases 0 s 

do.phases n s = update.state s , n = num.phases 
do.phases (n+1) (do.phase n s) 

Output s * generate. output 0 s 


generate.output n s {n=num.phases> = □ 
generate.output n s {output. phase n> = 

Out(do.phase n s) : generate.output (n+1) (do.phase n s) 
generate.output n s = generate.output (n+1) (do.phase n s) 

llclio: modify. rule "do.phases" count 20000 
llclio: symbol do.phases never 

update.state <<s f p,in>> = do. changes p <<s,D,in» 
do.phase n <<s,p,in>> = 

advance.inputstream (do. actions (current. schedule s2 n) s2) 
where s2 - update.state <<s,p,in>> 

current. schedule s n = scheduler (controllerstate s) (controllerinput s) n 

do. change «c,Zero ( v» <<s,p,in>> = <<update s c v, p, in>> 
do. change <<c,Succ n,v>> «s,p,in>> = <<s, <<c,n,v>>:p, in>> 

do. action a s = do. change (change. of a s) s 

advance.inputstream <<s,p,in>> = <<s ,p, in * Succ>> 

change. of a s = <<component a, delay a, effect a s (component a)>> 
do.changes [] s = s 

do. changes (<<c , t , v>> :rest) s = do.changes rest (do. change <<c,t,v>> s) 

| | This is a trick to handle conditional actions correctly 
do actions : : [ACTION] ->STATE->STATE 
AXIOM (s) ‘do. actions □ s* = ‘s' 

AXIOM (a) (rest) (s) ‘do. actions (a:rest) s f » c do. actions rest (do. action a s) 
update s c v c2 = (c=c2)~>v; s c2 

foldl op s [] = s 

foldl op s (arrest) * foldl op (op a s) rest 
map f [] 3 □ 

map f (a : x) = (f a) : (map f x) 
list.to Zero - □ 

list. to (Succ n; « list.to n ++ [n] 
iterate f Zero s - s 

iterate f (Succ n) s = iterate f n (f s) 

| I *=*=*=*=*=*=*=*=*=*=*=*=*=*=*-*=*=*=*=*=* : =*=*=*=*=*-- 

|| Component Classes. 

H *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*-*=*=*=*-- 
The component class voter. 

voter : : type 

type voter. localstate = <<V0TERSTATE,<<(T0.PR0C) , (fourbyte) , 

(f ourbyte) , (fourbyte) >>>> 

LOCAL STATE ::= S.voter ! voter localstate |+ 

ACTION A.voter ! voter. ACT |+ 
voter.ACT 
byzchange ! voter I 
byzout ! voter I 
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changestate ! voter | 
output ! voter 


voterdelay (byzchange c) = #1 

votercomp (byzchange c) = C. voter c 

voterout (byzchange c) s <<f rom.proc , vl ,v2, v3>> = 

<<byz.to.proc s , byz.crossl s, byz_cross2 s, byz_cross3 s>> 

voterstate (byzchange c) s «from_proc, vl , v2 , v3» = „ ^ 

byzstep s «f rom.proc ,vl ,v2,v3>> 


voterdelay (byzout c) - #1 

votercomp (byzout c) = C. voter c 

voterout (byzout c) s <<f rom.proc ,vl,v2,v3» = 

<<byz.to.proc s , byz.crossl s, byz_cross2 s, byz.cross3 s>> 

voterstate (byzout c) s «from.proc,vl , v2, v3» = s 


voterdelay (changestate c) - #1 
votercomp (changestate c) = C. voter c 

voterout (changestate c) s «f rom.proc, vl , v2,v3>> = ^ 

<<to_proc s , cross. out s, cross. out s, cross.out s >> 

voterstate (changestate c) s <<from.proc,vl,v2,v3» = 

voterstep s <<f rom.proc ,vl ,v2,v3>> 


voterdelay (output c) = #1 
votercomp (output c) = C.voter c 

voterout (output c) s <<f rom.proc ,vl ,v2 ,v3>> = 

<<to_proc s , cross.out s , cross.out s 

voterstate (output c) s <<from.proc,vl,v2,v3>> = s 


cross. out s >> 


effect (A. voter a) = votereffect a 
delay (A.voter a) = voterdelay a 
component (A. voter a) = votercomp a 

V ° t |^voter t <<voterstate a (getvoterstate (current sc)) (voterinput s c) , 
voterout a (getvoterstate (current sc)) (voterinput s c)>> 
getvoterstate (S. voter <<x,y>>) = x 
getvoteroutO (S. voter <<x , <<y0 ,yl ,y2 ,y3>> >>) = yO 

getvoteroutl (S. voter <<x,<<yO,yl ,y2,y3>> >>) = yl 

getvoterout2 (S.voter <<x , <<y0 ,yl ,y2 ,y3>> >>) = y2 

getvoterout3 (S.voter <<x,<<y0,yl,y2,y3>> >>) = y3 

is proper.voter (S.voter <<x,<<y0,yl»y2,y3>> >>) = 

F (! yO) k (! yl) k (! y2) & (! y3) 

|| clio: sy is.proper.voter extend 

Goodvoter ‘s ( ‘to.proc* 'crossl* *0X0382* *cross3 :== Proper.voterstate s 

n *=*=*=*=*=*=*=*=*=*=^*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 

The component class FtCayuga. 


FtCayuga : : type 

type FtCayuga. localstate = 

<<FTCAYUGASTATE , << (f ourbit ) , (f ourbyte) , (f ourbyte) , (fourbyte)>>>> 
LOCAL. STATE ::= S. FtCayuga IFtCayuga.localstate |+ 

ACTION ::= A. FtCayuga ! FtCayuga. ACT |+ 

FtCayuga. ACT 
byzcayugaout ! FtCayuga | 
cayugaout ! FtCayuga T 
byzcayuga ‘FtCayuga I 
cayugastep ! FtCayuga 


FtCayugadelay (byzcayugaout c) = #1 
FtCayugacomp (byzcayugaout c) * C. FtCayuga c 
FtCayugaout (byzcayugaout c) s <<in,int» = 

<<(byzgo s) , (byzpvtl s), 
FtCayugastate (byzcayugaout c) s <<in,int>> = s 


(byzpvt2 s). 


(byzpvt3 s)» 
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FtCayugadelay (cayugaout c) = #1 
FtCayugacomp (cayugaout c) = C_FtCayuga c 
FtCayugaout (cayugaout c) s <<in,int>> = 

<<(vstartout s) , (prvtout s) , (prvtout s) , (prvtout s)>> 
FtCayugastate (cayugaout c) s <<in,int>> = s 

FtCayugadelay (byzcayuga c) = #1 
FtCayugacomp (byzcayuga c) = C.FtCayuga c 
FtCayugaout (byzcayuga c) s <<in,int» = 

<<(byzgo s), (byzpvtl s) , (byzpvt2 s), (byzpvt3 s)>> 
FtCayugastate (byzcayuga c) s «in,int» * 

byzCayugaStep s (make.ftc.in int in) 

FtCayugadelay (cayugastep c) = #1 
FtCayugacomp (cayugastep c) = C.FtCayuga c 
FtCayugaout (cayugastep c) s «in,int» = 

<<(vstartout s), (prvtout s) , (prvtout s), (prvtout s)» 
FtCayugastate (cayugastep c) s <<in,int>> = 

FtCayugaStep s (make.ftc.in int in) 

effect (A.FtCayuga a) = FtCayugaeff ect a 
delay (A.FtCayuga a) = FtCayugadelay a 
component (A.FtCayuga a) = FtCayugacomp a 
FtCayugaeff ect a s c = 

S.FtCayuga <<FtCayugastate a (getFtCayugastate (current sc)) 

(FtCayugainput s c) , 

FtCayugaout a (getFtCayugastate (current sc)) (FtCayugainput s c)>> 
getFtCayugastate (S.FtCayuga <<x,y>>) = x 
getFtCayugaoutO (S.FtCayuga <<x , <<y0 ,yl ,y2 ,y3>> >>) = yO 

getFtCayugaoutl (S.FtCayuga <<x,<<yO,yl ,y2,y3» >>) = yl 

getFtCayugaout2 (S.FtCayuga «x,«yO,yl ,y2,y3» ») = y2 

getFtCayugaout3 (S.FtCayuga <<x,«yO,yl ,y2,y3» >>) = y3 

is.proper.FtCayuga (S.FtCayuga <<x,«y0,yl,y2,y3» ») = 

(! yO) & ( ! yl) & ( ! y2) & (! y3) 

llclio: sy is.proper.FtCayuga extend 

GoodFtCayuga ‘s' ‘go‘ ‘pvtl° ‘pvt2‘ ‘pvt3‘ :== Proper.ftcayuga ‘s‘ 

ACTION ::= | 

LOCAL.STATE : | 

COMP : 

C_ voter ! voter | 

C.FtCayuga IFtCayuga 

| | * = * = * = * = * = * = * = * = * = * = * = * = #=* = *-* = * = * = * = * = * = ,(,=* = #;:# = ,(, 

I I Components (other than Controller and External) 

II and their connections. 

FtCayuga ::= FTC1 |+ 

FtCayugainput s (C.FtCayuga FTC1) = 

<<getvoteroutO (current s (C.voter VI)), 
external. input.intl (current. input s)>> 

FtCayuga : : = FTC2 | + 

FtCayugainput s (C.FtCayuga FTC2) = 

<<getvoteroutO (current s (C.voter V2)), 
external.input.int2 (current .input s)>> 

FtCayuga ::= FTC3 |+ 

FtCayugainput s (C.FtCayuga FTC3) = 

<<getvoteroutO (current s (C.voter V3)), 
external.input.int3 (current .input s)>> 

FtCayuga ::= FTC4 |+ 
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FtCayuga input s (C.FtCayuga FTC4) = <<getvoteroutO (current s (C.voter V4)), 

external_input_int4 (current_input s)>> 

voter : := VI I + 
voterinput s (C_voter VI) = 

<< <<getFtCayugaoutO (current s (C_FtCayuga FTCl)), 

getFtCayugaoutl (current s (C.FtCayuga FTC2)), 

getFtCayugaoutl (current s (C.FtCayuga FTC3)), 

getFtCayugaoutl (current s (C.FtCayuga FTC4))>>, 

getvoterout3 (current s (C.voter V4)), 

getvoterout2 (current s (C.voter V3) ) , 

getvoteroutl (current s (C.voter V2))>> 

voter : V2 I + 
voterinput s (C_ voter V2) = 

« «getFtCayugaoutO (current s (C.FtCayuga FTC2)), 

getFtCayugaout2 (current s (C.FtCayuga FTC3)), 

getFtCayugaout2 (current s (C.FtCayuga FTC4)), 

getFtCayugaoutl (current s (C.FtCayuga FTC1))», 

getvoterout3 (current s (C.voter VI)), 

getvoterout2 (current s (C.voter V4)), 

getvoteroutl (current s (C.voter V3))>> 

voter : := V3 I + 
voterinput s (C.voter V3) - 

<< <<getFtCayugaoutO (current s (C.FtCayuga FTC3)), 

getFtCayugaout3 (current s (C.FtCayuga FTC4) ) , 

getFtCayugaout2 (current s (C.FtCayuga FTCl)), 

getFtCayugaout2 (current s (C.FtCayuga FTC2))>>, 

getvoterout3 (current s (C.voter V 2)), 
getvoterout2 (current s (C.voter VI)), 
getvoteroutl (current s (C.voter V4))>> 

voter : := V4 1+ 
voterinput s (C.voter V4) = 

<< «getFtCayugaoutO (current s (C.FtCayuga FTC4)) , 

getFtCayugaout3 (current s (C.FtCayuga FTCl)), 

getFtCayugaout3 (current s (C.FtCayuga FTC2)) , 

getFtCayugaout3 (current s (C.FtCayuga FTC3))>>, 

getvoterout3 (current s (C.voter V3)), 
getvoterout2 (current s (C.voter V2)), 
getvoteroutl (current s (C.voter Vi))>> 

voter : I 
FtCayuga ::= I 

| | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 

I | Output function 
Out s = (bottom) 

inlist.from <<s,p,in>> = input.phases.of in 

input.phases.of in * (map in input.phases) ++ 

input.phases.of (in. (#+ inum.phases)) 

| | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 
il The scheduler. 

scheduler GO in 0 - (Vlout)~(V2p»t>~CV3^ 

VI out = ((faulty ONE) -> [A.voter (byzout VI)] ; [A. voter (output VI)]) 

V2out = ((faulty TWO) -> [A.voter (byzout V2)] ; [A.voter (output V2)]) 

V3out = ((faulty THREE) -> [A.voter (byzout V3)] ; [A.voter (output V3)] ) 

V4out = ((faulty FOUR) -> [A.voter (byzout V4)] ; [A.voter (output V4)]) 

Vlstate = ((faulty ONE) -> [A.voter (byzchange VI)] ; [A.voter (changestate V1)J) 
V2state = ((faulty TWO) -> [A.voter (byzchange V2)] ; [A_voter(changestate V2)]) 
V3state = ((faulty THREE) -> [A.voter (byzchange V3)] ; [A_voter(changestate V3)J) 
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V4state = 
FTClact = 

FTC2act = 

FTC3act = 

FTC4act = 

scheduler 

FTC lout = 

FTC2out = 

FTC3out = 

FTC4out = 

scheduler 

scheduler 


((faulty FOUR)->[A_voter(byzchange V4)] ; [A.voter (changestate V4)]) 
((faulty ONE) -> [A_FtCayuga(byzcayuga FTC1)] ; 

[A_FtCayuga(cayugastep FTC1)]) 
((faulty TWO) -> [A_FtCayuga(byzcayuga FTC2)] ; 

[A_FtCayuga(cayugastep FTC2)]) 
((faulty THREE) -> [A_FtCayuga(byzcayuga FTC3)] ; 

LA_FtCayuga(cayugastep FTC3)]) 
((faulty FOUR) -> [A.FtCayuga(byzcayuga FTC4)] ; 

[A_FtCayuga(cayugastep FTC4)]) 
GO in 1 = (Vlstate)++(V2state)++(V3state)++(V4state)++ 

(FTC lact ) ++ (FTC2act ) ++ (FTC3act ) ♦♦ (FTC4act ) ++ [Advance.controller] 

((faulty ONE) -> [A_FtCayuga(byzcayugaout FTC1)] ; 

[A_FtCayuga(cayugaout FTC1)]) 
((faulty TWO) -> [A_FtCayuga(byzcayugaout FTC2)J; 

[A.FtCayuga(cayugaout FTC2)] ) 
((faulty THREE) -> [A_Ft Cayuga (byzcayugaout FTC3)] ; 

[A_FtCayuga(cayugaout FTC3)]) 
((faulty FQUR)->[A_FtCayuga(byzcayugaout FTC4)J; 

[A_FtCayuga(cayugaout FTC4)]) 

s in 1 - [Advance.controller] 
s in t = [] 


| | * = * = * = * = * = * = * = * = * = * = * = *=* = * = * = * = * = *=:* = * = * = * = * = * = * = *-- 
II Proper state predicates, 
is.proper. state 's' :== 

' is.proper.contr (current s Controller) ' = 'True* 
k ' is.proper.FtCayuga (current s (C.FtCayuga FTC1))' = 'True* 

k ' is. proper. FtCayuga (current s (C.FtCayuga FTC2))' = 'True' 

k ' is.proper.FtCayuga (current s (C.FtCayuga FTC3))' = 'True' 

k ' is.proper.FtCayuga (current s (C.FtCayuga FTC4))' s 'True' 

k ' is.proper.voter (current s (C.voter VI))' = 'True' 

k ' is.proper.voter (current s (C.voter V2))' = 'True' 

k ' is.proper^voter (current s (C. voter V3))' = 'True' 

k ' is.proper. voter (current s (C.voter V4))' = 'True' 

Proper.state 's' 

'pending. changes s' = '[]' 
k is.proper.state 's' 

k GoodFtCayuga 'getFtCayugastate (current s (C.FtCayuga FTC1))' 

'getFtCayugaoutO (current s (C.FtCayuga FTC1))' 
'getFtCayugaoutl (current s (C. FtCayuga FTC1))' 
' get FtCayugaout 2 (current s (C. FtCayuga FTC1))' 
' get FtCayugaout 3 (current s (C. FtCayuga FTC1))' 
k GoodFtCayuga 'getFtCayugastate (current s (C.FtCayuga FTC2))' 

'getFtCayugaoutO (current s (C.FtCayuga FTC2))' 
‘getFtCayugaoutl (current s (C.FtCayuga FTC2))' 
'getFtCayugaout2( current s (C.FtCayuga FTC2))' 
'getFtCayugaout3( current s (C.FtCayuga FTC2))' 
k GoodFtCayuga 'getFtCayugastate (current s (C.FtCayuga FTC3))' 

'getFtCayugaoutO (current s (C. FtCayuga FTC3))' 
'getFtCayugaoutl (current s (C.FtCayuga FTC3))' 
'get FtCayugaout 2 ( current s (CJFtCayuga FTC3)) ' 
f getFtCayugaout3( current s (C.FtCayuga FTC3))' 
k GoodFtCayuga 'getFtCayugastate(current s (C.FtCayuga FTC4) ) ' 

'getFtCayugaoutO (current s (C.FtCayuga FTC4))' 
< 'getFtCayugaoutl (current s (C. FtCayuga FTC4))' 

'get FtCayugaout 2 (current s (C.FtCayuga FTC4))' 
'getFtCayugaout3 (current s (C.FtCayuga FTC4))' 
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ft Goodvoter ‘getvoterstate(current s (C.voter VI)) ‘ 

‘getvoteroutO (current s (C.voter VI)) ‘ 
‘getvoteroutl (current s (C.voter VI)) ‘ 

‘ getvoterout2 (current s (C_voter VI)) ‘ 
‘getvoterout3 (current s (C.voter VI)) ‘ 
ft Goodvoter ‘getvoterstate (current s (C_voter V2))‘ 

‘getvoteroutO(current s (C.voter V2))‘ 
‘getvoteroutl (current s (C_voter V2))‘ 
‘getvoterout2(current s (C.voter V2))‘ 

‘ get voterout 3 (current s (C_voter V2))‘ 
ft Goodvoter ‘getvoterstate(current s (C.voter V3))‘ 

‘getvoteroutO(current s (C.voter V3))‘ 
‘getvoteroutl (current s (C.voter V3))‘ 
‘getvoterout2 (current s (C.voter V3))‘ 
‘getvoterout3(current s (C_voter V3))‘ 
ft Goodvoter ‘getvoterstate (current s (C.voter V4))‘ 

‘getvoteroutO (current s (C.voter V4))‘ 
‘getvoteroutl (current s (C.voter V4))‘ 
‘getvoterout2(current s (C_voter V4))‘ 
‘getvoterout3(current s (C.voter V4))‘ 
ft Proper.External ‘s‘ 

llclio: symbol Proper_state extend_auto 
llclio: symbol pending_changes extend.auto 

j | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 

|| For export to other modules, we define functions 
II access the internal state of each component that has one. 
get_FTCl_state s = getFtCayugastate (current s (C_FtCayuga FTC1)) 

get_FTC2_state s = getFtCayugastate (current s (C.FtCayuga FTC2)) 

get_FTC3_state s = getFtCayugastate (current s (C.FtCayuga FTC3)) 

get_FTC4_state s = getFtCayugastate (current s (C.FtCayuga FTC4) ) 

get_Vl_state s = getvoterstate (current s (C.voter VI)) 

get_V2_state s = getvoterstate (current s (C.voter V2)) 

get_V3_state s = getvoterstate (current s (C.voter V3)) 

get_V4_state s = getvoterstate (current s (C_voter V4)) 


| | *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* — 


|| Auxiliary definitions. 


make_f tc_in int <<vl ,v2,v3,st ,snd,fr>> = 
«int,twolist vl, twolist v2, twolist 


v3, statusword st fr snd >> 


twolist <<a,b>> = [a,b] 
statusword : : * 


byzstep, byz_to_proc :: * 

byzcll , byzcl2, byzcl3, byzcl4, byzc21, byzc22 
byzc23 , byzc24 , byzc31, byzc32, byzc33, byzc34 
byzCayugaStep : : * 

byzpll , byzpl2, byzpl3, byzpl4, byzp21, byzp22 
byzp23 , byzp24, byzp31, byzp32, byzp33, byzp34 
byzgl, byzg2, byzg3, byzg4 :: *->B00L 


*->byte 

*->byte 

*->byte 

*->byte 


AXIOM ‘ ! (byzcll x)‘=‘ !x‘ 
AXIOM ‘ ! (byzcl2 x)‘=‘!x‘ 
AXIOM ‘ ! (byzcl3 x)‘=‘!x‘ 
AXIOM ‘ !(byzcl4 x)‘=‘ !x‘ 
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AXIOM ‘ 

(byzc2i x)‘=‘!x‘ 

AXIOM ‘ 

!(byzc22 x)‘=‘!x‘ 

AXIOM ‘ 

(byzc23 x) '=' !x‘ 

AXIOM ‘ 

(byzc24 x) '=' !x' 

AXIOM ‘ ! 

! (byzc31 x) * = * !x‘ 

AXIOM ‘ ! 

! (byzc32 x) ‘ = ‘ !x‘ 

AXIOM *! 

! (byzc33 x)‘ = ‘!x f 

AXIOM * ! 

! (byzc34 x) ‘ = ‘ !x‘ 


byz.crossl x = <<byzcll x, byzcl2 x, byzcl3 x, byzcl4 x» 

byz_cross2 x = <<byzc21 x, byzc22 x, byzc23 x, byzc24 x>> 

byz_cross3 x = <<byzc31 x, byzc32 x, byzc33 x, byzc34 x>> 

AXIOM * ! (byzpll x)'*' !x‘ 

AXIOM * ! (byzpl2 x)‘=‘!x‘ 

AXIOM * ! (byzpl3 x)‘=‘!x‘ 

AXIOM * ! (byzpl4 x)‘=‘!x‘ 

byzpvtl x = <<byzpll x, byzpl2 x, byzpl3 x, byzpl4 x>> 
AXIOM ‘ ! (byzp21 x)‘=‘!x' 

AXIOM ‘ ! (byzp22 x)'=‘!x‘ 

AXIOM ' ! (byzp23 x) !x c 
AXIOM * ! (byzp24 x)‘=‘!x‘ 

byzpvt2 x = <<byzp21 x, byzp22 x, byzp23 x, byzp24 x>> 
AXIOM * ! (byzp31 x) *«*!** 

AXIOM ‘ ! (byzp32 x)*»*!x‘ 

AXIOM ‘ ! (byzp33 x)‘=‘ !x‘ 

AXIOM ‘ ! (byzp34 x)'=‘!x‘ 

byzpvt3 x = <<byzp31 x, byzp32 x, byzp33 x, byzp34 x>> 
AXIOM ‘ ! (byzgl x) ‘=‘ !x c 
AXIOM ‘ ! (byzg2 x) !x‘ 

AXIOM ‘ ! Cbyzg3 x) *»* !x‘ 

AXIOM ‘ ! (byzg4 x)‘=‘!x‘ 

byzgo x = <<byzgl x, byzg2 x, byzg3 x, byzg4 x>> 


type FROM.PROC = <<proctuple .proctuple .proctuple ,proctuple>> 
type proctuple = <<byte, byte, byte, B00L>> 

type T0_PR0C = <<twobyte,twobyte,twobyte,<<threebit,threebit>>,twobit,twobit>> 

type fourbyte = <<byte, byte, byte, byte>> 

type twobyte = <<byte,byte>> 

type twobit = <<B00L,B00L>> 

type threebit = <<B00L,B00L,B00L>> 

type fourbit = <<B00L, BOOL, BOOL, B00L>> 

rom_proc : : FR0M_PR0C->B00L 
good_from_proc <<a,b,c,d>> = (good_proctuple a) ft 

(good.proctuple b) ft 
(good.proctuple c) ft 
(good_proctuple d) 
good.proctule : : proctuple->B00L 
good.proctuple <<a,b,c,d>> = !a ft !b ft !c ft !d 

I I clio: symbol Proper.voterstate extend_auto 
llclio: symbol Proper.ftcayuga extend_auto 

1 1 clio: symbol good.f rom.proc extend. auto 
llclio: symbol good.proctuple extend.auto 
is.proper.ext : : EXTSTATE->B00L 

INDEX ::= ONE | TWO I THREE | FOUR 

II Everything is defined in terms of this parameter, 
faulty : : INDEX -> BOOL 
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| | + = * = * = *=:* = * = * = * = * = * = * = * = * = * = * = * = * = * = * = *-*-*-* _ * ::: *“*~'' 
|| The outpoints and loop conditions. 


PATH ::= I 


Invariant *p* *s* := TRUE 

Advance. Relation *pl* *p2‘ ‘si/ *s2‘ := TRUE 
path.start p = bottom 
path. end p = bottom 
path.length p = bottom 

path.condition *p* *s* FALSE 

path precond ‘path* *s* := 

* ! path* = ‘True* 

ft path.condition ‘path* *s* 

ft Invariant ‘path.start path/ *s* 

I jclio: sy path.precond extend 
j jclio: sy Invariant extend 

path.postcond ‘path* *s* :« ( 

Invariant ‘path. end path* ‘iterate Execute (path.length path) s 
ft Advance. Relation ‘path.start path* ‘path.end path* 

‘s* ‘iterate Execute (path.length path) s* 

VC ‘path* *s* , f 
path.precond ‘path* *s‘ => path.postcond path s 

VC.ok * s * :== (path) VC ‘path* *s* 

VC. ok. lemma :== Proper.state *s* => VC.ok *s* 

Timing. ok *s* :== 

Proper.state ‘Execute s* 

Timing. ok.lemma :== 

Timing. ok *s‘, Proper.state *s* 

Timing. ok.case *s*:== 

Timing.ok *s‘, * controllerstate s*=*c* 

Timing. ok.by. cases :== Proper.state *s* => Timing.ok.case *s* 


6 Common Theory 


6.1 Type Definitions 

| | Here’s what we are assuming about the type number: 

I | For ftcayuga, we must assume that a number consists of four bytes 
byte.num ::= BYTEO I BYTE1 I BYTE2 | BYTE3 
byte : : sort 

number = Word byte byte byte byte 

byte.inc BYTEO » BYTE1 

byte.inc BYTE1 = BYTE2 

byte.inc BYTE2 = BYTE3 

byte.inc BYTE3 = BYTEO 

inc.num : : number-^number 

decr.num : : number->number 
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AXIOM ‘Ifdecr.num x)‘=‘!x' 

AXIOM ‘Kinc.num x)‘=‘!x‘ 

AXIOM ‘decr.num (inc.num x) ,=f x { 
add.num : : number- >number->number 
nO : : number 

sub.num : : number->number->number 
AXIOM ‘ ! (add.num x y)‘=‘!x ft !y‘ 

AXIOM * ! (sub.num x y)‘=‘!x ft !y‘ 

AXIOM ‘ add.num x nO‘= ( x‘ 

AXIOM ‘add.num nO x‘=‘x‘ 
nl : : number 
n2 : : number 
n3 : : number 

II Here’s what we are assuming about the type data: 
data nodata | dataerror | DATUM ! number 

inc.data (DATUM x) = DATUM (inc.num x) 
inc.data x = x 

deer. data (DATUM x) = DATUM (decr.num x) 
deer. data x = x 

add. data (DATUM x) (DATUM y) = DATUM (add.num x y) 
sub. data (DATUM x) (DATUM y) = DATUM (sub.num x y) 
cne.data x y = (x=y)->data.false; data.true 
good (DATUM (Word xyzw)) = !xft !y& !z ft !w 
getbyte BYTE3 (DATUM (Word b3 b2 bl bO)) = b3 

getbyte BYTE2 (DATUM (Word b3 b2 bl bO)) * b2 

getbyte BYTE1 (DATUM (Word b3 b2 bl bO)) = bl 

getbyte BYTEO (DATUM (Word b3 b2 bl bO)) = bO 

set. byte BYTE3 (DATUM (Word b3 b2 bl bO)) v = DATUM (Word v b2 bl bO) 

set.byte BYTE2 (DATUM (Word b3 b2 bl bO)) v = DATUM (Word b3 v bl bO) 

set. byte BYTE1 (DATUM (Word b3 b2 bl bO)) v = DATUM (Word b3 b2 v bO) 

set.byte BYTEO (DATUM (Word b3 b2 bl bO)) v = DATUM (Word b3 b2 bl v) 

get. byte = getbyte ,num2byte 

update.byte * set.byte ,num2byte 

num2byte 3 = BYTE3 

num2byte 2 = BYTE2 

num2byte 1 = BYTE1 

num2byte 0 = BYTEO 


LSB : : data->B00L 

AXIOM ' ! (LSB x) ‘ = ‘ !x‘ 

data. false : : data 

data.true : : data 

AXIOM ‘good data_false‘=‘True‘ 

AXIOM ‘good data.true‘=‘True‘ 
hXIOM ‘LSB data_false‘=‘False‘ 

AXIOM ‘LSB data.true ‘~ f True ‘ 

II Memory addresses: 
addr :: s ADDR ! number 
data.to.addr (DATUM x) = ADDR x 
inc.addr (ADDR x) * ADDR (inc.num x) 
addr.O * ADDR nO 
data.O = DATUM nO 

II Here’s what we need about the regaddr’s: 
regaddr ::= RO | R1 | R2 I R3 I R4 | R5 I R6 | R7 | 

R8 I R9 | RIO | Rll I R12 I R13 I R14 I R15 | 

R16 | R17 | R18 I R19 | R20 I R21 I R22 R23 I 

R24 I R25 1 R26 I R27 | R28 I R29 I R30 | R31 

data.to. regaddr : : data -> regaddr 
AXIOM 4 ! (data.to.regaddr x)‘= T !x‘ 

AXIOM ‘ data.to.regaddr (DATUM nO) ‘R0‘ 

AXIOM ‘data.to.regaddr (DATUM nl) ‘= ‘R1‘ 
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R2‘ 

R3‘ 


AXIOM ‘data_to_regaddr (DATUM n2) ‘- 
AXIOM 'data_to_regaddr (DATUM n3) ** ‘ 


| | Special-reg-addrs 

sregaddr ::= VT 1 1 VT2 1 VT3 1 STATUS I PVT I + 
data_to_sregaddr : : data->sregaddr 
AXIOM * ! (data_to_sregaddr x)‘=‘!x‘ 
regaddr_to_sregaddr : : regaddr->sregaddr 
AXIOM ‘ ! (regaddr_to_sregaddr x)‘=‘ !x‘ 

I | Special registers VT1-VT3 and STATUS are write-protected 

protected sr = (sr=VTl)xor(sr=VT2)xor(sr=VT3)xor(sr-STATUS) 

iicSe °:“uH ST I ADD I JMP I JIT I JIF I CNE I SADD I HOVE I ICOP 
opclass : : = SCLASS I JCLASS | LCLASS j ACLASS I NONE 


opcodeof : : data opcode 
indirect : : data -> BOOL 
dstof : : data -> data 
srclof : : data -> regaddr 
src2of : : data data 
AXIOM ‘ ! (opcodeof x)*«*!x‘ 
AXIOM ‘ ! (indirect x)‘=‘!x‘ 
AXIOM ‘ ! (dstof x)‘=‘ !x 
AXIOM ‘good(dstof x)‘=‘good x 
AXIOM ‘! (srclof x)‘=‘!x‘ 

AXIOM ‘good(src2of x)‘= good x 

AXIOM ‘ ! (src2of x)‘=‘!x‘ 


|| note: this is 
| | note: this is 


"padded" to be data 
"padded" to be data 


opclassof LD = LCLASS 
opclassof ST = SCLASS 
opclassof ADD = ACLASS 
opclassof SADD = ACLASS 
opclassof ICOP = ACLASS 
opclassof MOVE = ACLASS 
opclassof CNE = ACLASS 
opclassof JMP = JCLASS 
opclassof JIT = JCLASS 
opclassof JIF = JCLASS 

|| We need a N0_0P, which we take to be ADD RO 0 RO, which adds 0 to RO 
noop : : data 

AXIOM ‘opcodeof noop‘=‘ADD‘ 

AXIOM ‘indirect noop‘=‘False‘ 

AXIOM ‘srclof noop‘=‘R0‘ 

AXIOM ‘src2of noop' =' DATUM n0‘ 

AXIOM ‘dstof noop‘=‘DATUM n0‘ 


|| This is the type of error flags. It’s the part of the abstract state 
II which indicates whether an error has occurred, 
error ::= NO.ERROR I JUMP.ERROR I STORE.ERROR 


|| This function is used alot. 
update f x y z = (x=z)->y; f z 

reset_to_addr x = data.O 


clio: mod * off 
clio: add * 
clio: mod * on 
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6.2 The Axioms 


AXIOM ‘majority_of x x z'=‘x‘ , ‘!z‘=‘True‘ 

AXIOM ‘majority.of x z x‘=‘x‘ , ‘!z‘=‘True‘ 

AXIOM ‘majority.of z x x‘=‘x‘ , ‘!z‘=‘True‘ 

AXIOM "majority.commutes" ‘majority.of x y z‘=‘majority_of y z x‘ 

AXIOM ‘good data_0‘=‘True‘ 

AXIOM ‘ ! (msbof x)‘*‘True‘ , ‘!x‘=‘True‘ 

AXIOM ‘msbof bottom* = ’bottom' 

AXIOM ‘good x‘=*True‘ => ‘good (inc.data x)‘=‘True‘ 

AXIOM ‘good(add_data x y)‘ s ‘True‘ , ‘good x ft good y‘=‘True‘ 

AXIOM "sregaddr flat" (x :: sregaddr) ‘!!x‘=‘!x‘ 

AXIOM Proper.voterstate ‘byzstep s in' , Proper.voterstate ‘s‘ 

AXIOM "Proper.byzCayuga" Proper_ftcayuga ‘byzCayugaStep s in' , Proper.ftcayuga 's' 
AXIOM ‘msbof (stwdl st «fr,x» y)‘=‘fr‘ 

AXIOM ‘next2msbof (stwdl st x <<snd,y>>) ‘=‘snd‘ 

AXIOM ‘! (stwdl st x y)‘=‘True‘ , ‘! 1st ft !!x ft!!y‘=‘True‘ 


7 The Main Lemmas Proved 

MainTheorem defines the main correctness property that we proved. It expresses the 12- 
cyclc interactive consistency property for the entire system, which was described in detail 
in sections 5.2 and 9.1 of Volume 1. In the following, we describe some of the main lemmas 
that we proved in constructing a proof of MainTheorem. 

MainTheorem states the interactive consistency property for the actual value (defined 
by the function actualPVT) that the processor sends to the voter. Since the processor sends 
the value to the voter over two cycles, we define one half of this value based on the contents 
of the special register PVT in the cycle in which ICOP is executed and the other half based on 
the contents of PVT in the following cycle. To ensure that the IC computation is performed 
on r consistent value of PVT, the programmer must make sure that the content of PVT will 
not change before the processor sends it to the voter. One way a programmer can ensure 
this is by not having a SADD instruction, which is the only instruction that can change the 
special register PVT, immediately following ICOP. AnotherMainTheorem formally states this 
condition. We have not proved this theorem, which should follow from the MainTheorem. 

To decompose the proof of MainTheorem into smaller proofs, we divided the 12-cycle 
IC computation into a sequence of six stages of smaller duration. For each of these stages, 
we proved a stage lemma that defines the expected behavior for that stage. The different 
stages we used and their corresponding lemmas are enumerated below. 
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1 Load stage represents the first three cycles of IC computation in which the contents of 
the private register is moved from the processor to the voter. The lemma corresponding 
to this stage is Load_correct_lerama. 

2. Exchange stage represents the next six cycles of the computation in which the voters 
exchange values between each other. This stage is further divided into a sequence ol 
three 2-cycle computations, with one lemma for each of them: Xngl_correct_lemma, 
Xng2_correct_lemma and Xng3_correct_lenuna. 

3. Compute stage represents the single cycle in which majority computation is performed. 

The lemma corresponding to this stage is Compute.correct J.emma. 

4. Output stage represents the last two cycle of the computation in which the results are 
written into the processor. The lemma corresponding to this stage is Output_correct_lemma. 

We “chained” the stage lemmas together, in order, to prove the MainTheorem. We 
proved another set of lemmas, called conned lemmas, to assist us in the chaining process. 

That is, we used the connect lemmas to prove that the antecedent of a stage lemma implies 
the consequent of a succeeding stage lemma in the chain. The list given below shows the 
order in which we used the lemmas for proving the MainTheorem. In the following, CL is 
an abbreviation for “Connect.lemma,” and -» is used to indicate the chronological order in 
which two lemmas are proved when the lemmas appear within the same item in the list. 

1. Load_correct_lemma 

2. CL.1.4 - (CL_1_5, CL-1.3) -> (CL_1_1, CL_1_2) 

3. Xngl_correct_lemma 

4. (CL-l-l, CL-1-2) -i CL_3 

5. Xng2_correct_lemma 

6. (CL_1_1, CL-1-2) -► CL_4 

7. Xng_correct_lemma 

8. (CL_1_1, CL_i_2) -> CL_5 

9. Compute_correct_lemma. 


63 


10. (CL.1.1, CL_1_2) -» CL_6 

11. Output_correct_lemina. 


I ********************>M.********************* 1 ( t *************** + * + **** + + % + + * + + + 

I Now we specify the multi-cycle behavior of the ic net. 

I We only expect it to perform correctly under certain assumptions. 

I First, at the beginning of the multi-cycle computation, all the 

I non-faulty voters should be syncronized in their LDP1 state, 

I and be waiting for the go-signal. 

I And all the non-faulty processors should be about to give the go-signal. 

I And all the non-faulty processors should have their bytcounter at BYTE1 . 

I Using the following predicates, we can assert this condition 

I on the voternet state, s, as: Sync ‘LDP1‘ ‘s' ft All.go ‘s‘ 

Sync ‘cs‘ ‘<<ftc,vtr,inlist>>‘ := 

(‘faulty ONE* = ‘False 1 => ‘control (vtr 0NE)‘*‘cs‘) 
ft (‘faulty TW0‘ = 'False' => ‘control (vtr TW0)‘=‘cs‘) 
ft (‘faulty THREE' = 'False' => ‘control (vtr THREE) ‘ = ‘ cs ‘ ) 
ft (‘faulty FOUR' = 'False' => ‘control (vtr F0UR)‘=‘cs‘) 

vtr <<f,v,in>> = v 

ftc <<f,v,in>> = f 

inlist <<f,v,in>> = in 

GO = <<True .True .True ,True>> 

go.signal <<ftc,vtr,int:rest>> index = vstartout (ftc index) 

All_go ‘s‘ := 

(‘faulty 0NE‘=‘False‘ => 

(‘go_of (vtr s ONE) ‘=‘False‘ 

ft ‘go_signal s 0NE‘=‘G0‘ ft ‘bytecount (ftc s ONE) ‘=‘BYTE1 ‘ )) 
ft (‘faulty TW0‘=‘False‘ => 

(‘go_of (vtr s TWO) ‘= 'False' 

ft ‘go.signal s TWO ‘= ‘G0‘ ft ‘bytecount (ftc s TWO) ‘=‘BYTE1‘)) 
ft (‘faulty THREE ‘= 'False' => 

(‘go.of (vtr s THREE) ‘=‘False‘ 

ft ‘go.signal s THREE' = 'GO' ft ‘bytecount (ftc s THREE) ‘= ‘BYTE1 ' ) ) 
ft (‘faulty FOUR‘=‘False‘ => 

(‘go.of (vtr s FOUR) ‘=‘False‘ 

ft ‘go.signal s F0UR‘=‘G0‘ ft ‘bytecount (ftc s FOUR) ‘=‘BYTE1 ' ) ) 
Bytecount.sync ‘b‘ ‘s‘ := 

(‘faulty 0NE‘=‘False‘ => ‘bytecount (ftc s 0NE)‘=‘b‘) 
ft (‘faulty TWO ‘= ‘False' => ‘bytecount (ftc s TW0)‘=‘b‘) 
ft (‘faulty THREE'* ‘False' => ‘bytecount (ftc s THREE) ‘=‘b‘) 
ft (‘faulty FOUR‘=‘False‘ => ‘bytecount (ftc s F0UR)‘*‘b‘) 

II So, the preconditions to the main correctness theorem are: 

Preconditions ‘s‘ := 

Proper.icnet ‘s‘ ft Sync ‘LDP1‘ ‘s‘ ft All.go ‘s‘ 

N ********************************************************************* 

Some intermediate results. 

II Specification of the load cycles. 

I | This function defines the actual private value used by ICOP 
actualPVT s index = 

half.and.half (newPVT2 (ftc s index) (first.interrupt s index)) 

(newPVT (ftc s index)) 

half.and.half hi lo = DATUM (Word (getbyte BYTE3 hi) (getbyte BYTE2 hi) 
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(getbyte BYTE1 lo)(getbyte BYTEO lo)) 

f irst_interrupt <<f tc , vtr , inlist>> index = select_int index (hd inlist) 

load_correct 'before' 'after' 'index' := 

('faulty (succ index) ‘=‘False‘ 

=> ‘ array of (vtr after index) 1 1‘ =‘actualPVT before (succ index)') 
ft ('faulty (succ2 index) ‘=‘False‘ 

=> ‘arrayof (vtr after index) 1 2‘ =‘actualPVT before (succ2 index)') 
ft ('faulty (succ3 index) ‘=‘False‘ 

=> ‘arrayof (vtr after index) 1 3‘ =‘actualPVT before (succ3 index)') 


Load correct 'before' ‘after 
T f aulty 0NE‘=‘False‘ => 
ft ‘faulty TW0‘= 'False' = 
ft ‘faulty THREE' =' False' 
ft ‘faulty FOUR‘=‘False‘ 


I » _ 

load.correct 'before* 'after* 'ONE* 

> loadLcorrect 'before* 'after' 'TWO' 

=> load.correct 'before' 'after* ‘THREE* 
=> loadLcorrect 'before' 'after' 'FOUR* 


Load - Iterate (#3) IcNetStep 


LoadLcorrect .proper *s* 

Load. correct 's* 'Load s' & Sync 'XNG11* 'Load s* 

Load.correct. lemma : = 

Preconditions *s* => Load.correct.proper s 

H i ********************************************************************* 

Specification of the exchange cycles, 
xngl. correct 's* 'index' := 

('faulty (succ index) *=‘False' => 

‘arrayof (vtr s index) 2 2'-' arrayof (vtr s (succ index)) 11) 
ft (‘faulty (succ2 index) ‘=‘False‘ => 

‘arrayof (vtr s index) 3 3 <=< arrayof (vtr s (succ2 index)) 11) 

xng2_correct ‘s‘ ‘index* := 

(‘faulty (succ index) ‘=‘False‘ => 

‘arrayof (vtr s index) 2 3‘=‘arrayof (vtr s (succ index)) 12') 
ft (‘faulty (succ3 index) ‘ = ‘False* => 

‘arrayof (vtr s index) 3 l'-' arrayof (vtr s (succ3 index)) 12) 

xng3_correct ‘s‘ 'index' := 

(‘faulty (succ2 index) ‘=‘False‘ => 

‘arrayof (vtr s index) 2 1‘=‘ arrayof (vtr s (succ2 index)) 13) 
ft (‘faulty (succ3 index) ‘=‘False‘ => 

‘arrayof (vtr s index) 3 2‘=‘ arrayof (vtr s (succ3 index)) 1 3‘) 

Xngl.correct ‘s‘ := 

‘faulty 0NE‘=‘False‘ => xngl.correct s' ONE 
ft ‘faulty TW0‘=‘False‘ => xngl.correct ‘s‘ ‘TWO* 
ft ‘faulty THREE' =‘ False' => xngl.correct ‘s' 'THREE' 
ft ‘faulty FOUR‘=‘False‘ => xngl.correct ‘s' 'FOUR' 

Xng2_correct 's' 

'faulty ONE' =' False' *> xng2_correct ‘s ONE 
ft ‘faulty TWO '** False' => xng2_correct ‘s‘ ‘TW0‘ 
ft ‘faulty THREE' =' False' => xng2_correct ‘s' 'THREE' 
ft ‘faulty FOUR' s ‘ False' => xng2_correct ‘s‘ 'FOUR' 

Xng3_correct ‘s‘ :* 

‘faulty ONE' =* False' => xng3_correct ‘s ONE 
ft ‘faulty TW0‘=‘False‘ => xng3_correct ‘s‘ ‘TWO' 
ft ‘faulty THREE' =‘ False' => xng3_correct ‘s' ‘THREE 
ft ‘faulty FOUR‘=‘False‘ *> xng3_correct ‘s‘ ‘FOUR' 

Xng = Iterate (#2) IcNetStep 

Xngl_correct_lemma := 
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(Proper_icnet 's' ft Sync 'XNG11' 's') => 

(Xngl_correct 'Xng s' ft Sync 'XNG21' 'Xng s ( ) 

Xng2_correct .lemma :» 

(Proper_icnet 's' ft Sync 'XNG21' 's' ft Xngl_correct 's') => 

(Xng2_correct 'Xng s ' ft Sync 'XNG31' 'Xng s' ft Xngl_correct 'Xng s') 

Xng3_correct_ lemma : = 

(Proper_icnet ( s‘ ft Sync 'XNG31' 's' ft Xngl.correct 's' ft Xng2_correct 's') => 
(Xng3_correct 'Xng s' ft Sync 'CMPP' 'Xng s' 
ft Xngl_correct 'Xng s * ft Xng2_correct 'Xng s') 

********************************************************************* 

The compute and output cycles: 

An array is a function of type : : INDEX->INDEX->data 

If A is an array and i is an index, the A i has type :: INDEX->data 

so it represents a vector of four values, one for each index. 

This representation makes it easy to rotate the vector, since the 
rotated vector is obtained by composing with the function "succ". 

Now we can say that an array A is consistent if, for all non-faulty 
indicies, i and j, the vectors , A i and A j, are related by the appropriate 
rotation, e.g. if j = succ2 i then (A i).succ2 equals (A j). 

IndexConsistent 'array' 'index' := 

('faulty (succ index) '='False'=>' (array index) .succ' =' array (succ index)') 
ft ('faulty (succ2 index) '='False'=>' (array index) . succ2' ; =' array (succ2 index)') 
ft ('faulty (succ3 index) '='False'=> ' (array index) . succ3'= ' array (succ3 index)') 

Consistent 'array' := 

'faulty 0NE'='False'=> IndexConsistent 'array' 'ONE' 
ft 'faulty TW0'='False'=> IndexConsistent 'array' 'TWO' 
ft 'faulty THREE'='False'=> IndexConsistent 'array' 'THREE' 
ft 'faulty FOUR' =' False '=> IndexConsistent 'array' 'FOUR' 

a_ic vec init final index ONE = actualPVT init index 

a.icvec init final index TWO = maj_val 1 final index 

a.icvec init final index THREE = maj_val 2 final index 

a.icvec init final index FOUR = maj_val 3 final index 

maj.val i <<ftc,vtr ,in>> index = get_maj_val i (maj_of (vtr index)) 

Compute = Iterate (#1) IcNetStep 

Compute_correct_lemma := 

(Proper_icnet 's' ft Sync 'CMPP' 's' 

ft Proper.icnet 'before' ft Load_correct 'before' 's' 
ft Xngl_correct 's' ft Xng2_correct 's' ft Xng3_correct 's') 

=> (Consistent 'a.icvec before (Compute s)' 
ft Sync '0UT1' 'Compute s') 

| | We want the final correctness condition to refer only to the 
II states of the processors, not the voters. So the icvec that 
II we state the condition on is: 

icvec init final index ONE s actualPVT init index 
icvec init final index TWO * get.special.register VT1 final index 
icvec init final index THREE = get.special.rejjister VT2 final index 
icvec init final index FOUR = get_special_register VT3 final index 

get_special_register saddr <<ftc ,vtr ,inlist>> index = sregof (ftc index) saddr 

i 

II So to finish of the proof of correctness we need only show that 

j| for non-faulty index, ‘icvec init (Output s) index‘=‘a_icvec init s index* 
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Output = Iterate (#2) IcNetStep 

output .correct 's' ' index ' := 

'icvec init (Output s) index* = f a.icvec init s index* 

Output .correct 's' ; = 

('faulty 0NE'='False* => output.correct *s* 'ONE') 
ft ('faulty TW0'='False' => output.correct ‘s* *TW0*) 
ft ('faulty THREE' ='False' *> output.correct ‘s' 'THREE') 
ft ('faulty FOUR'='False' => output. correct 's* 'FOUR') 

Output. correct .lemma : = 

(Proper. icnet 's' & Sync '0UT1' 's' ft Bytecount.sync 'BYTE1* 's') 
=> Output. correct 's' 


Twelve. cycle = Output .Compute. Xng. Xng. Xng. Load 

MainTheorem := Preconditions 's' => Consistent 'icvec s (Twelve.cycle s)' 
I | To chain these lemmas together we need: 


Connect. lemma. 1.1 :== , , , 

(Proper. icnet 's* ft Sync 'cs' 's' ft * cs=LDPl '= 'False ) 

=> Proper. icnet 'IcNetStep s' 

Connect. lemma. 1.2 : == „ , , , , „ w . 

(Proper. icnet 's* ft Sync cs' s ft cs-LDPl - False ) 

=> Sync 'next.voterstate cs' 'IcNetStep s' 

Connect. lemma. 1.3 :== , , N ^ „ , 

Preconditions 's' => Sync LDP2 'Iterate (#2) IcNetStep s 

Ready 's' := 

('faulty ONE' = 'False ' => 'go. of (vtr s ONE) '= 'True' ) 
ft ('faulty TWO '= 'False' => 'go.of (vtr s TWO) '='True' ) 
ft ('faulty THREE* -'False' => 'go.of (vtr s THREE) '= 'True ' ) 
ft ('faulty FOUR' = 'False ' => 'go.of (vtr s FOUR) ' = 'True ' ) 
ft Sync ' LDP1 ' 's' 


Connect. lemma. 1.4 
Preconditions 
Connect. lemma. 1.5 
(Proper.icnet 


's' => (Proper.icnet 'IcNetStep s' ft Ready 'IcNetStep s') 
's' ft Ready 's')=> Proper.icnet 'IcNetStep s' 


Connect. lemmal := 

Connect. lemma.1.1 ft Connect. lemma. 1.2 
Connect. Iemma3 := , , 

(Proper.icnet 's' ft Sync XNG11 

Load. correct 'before' ' 


ft Connect .lemma. 1.3 ft Connect.lemma.l_4 

s' ft Load.correct 'before' 's') => 

Xng s' 


Connect_lemma4 : = 

(Proper.icnet 's' ft Sync 'XNG21 
Load.correct 'before' 


's' ft Load correct 'before' 's') => 
'Xng s' 


Connect.lemmaS : = , , 

(Proper.icnet 's' ft Sync XNG31 

Load.correct 'before' ' 
Connect. Iemma6 := Preconditions 's' => 

Bytecount.sync 'BYTE1 


s' ft Load.correct 'before' 's') => 
Xng s' 

' ' C omput e ( Xng (Xng (Xng (Load s))))' 


************^******************************************************* 
Here's another theorem that expresses a property useful from the point of 
view of a programmer using ICOP. It ensures that the system performs IC 
computation on the contents of SREG[PVT] in the cycle in which ICOP was 
executed, provided the instruction immediately following ICOP is not 
SADD. The following theorem, which has not been proved yet, can be proved 
using the above MainTheorem as a lemma. 

t******************************************************************** 

After 12 cycles, each non-faulty processor should have a vector 
of four values: the initial value of its PVT special register 
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M and the final values in the special register VT1, VT2, and VT3. 

II Among the non-faulty processors, these vectors should be related 
I I by a rotation. 

another icvec init final index ONE = get.special.register PVT init index 
another! cvec init final index TWO = get.special. register VT1 final index 
anothericvec init final index THREE = get.special. register VT2 final index 
anothericvec init final index FOUR = get.special.register VT3 final index 

I | Note that the expression M icvec init final index' 1 is actually 

II a function on the type INDEX, and represents the vector of four values. 

| | **************************************+********************************** 
ResultConsistent 's' := Consistent 'anothericvec s (Iterate #12 IcNetStep s)' 

AnotherMainTheorem := 

Preconditions 's' ft Next.instrn.isnot.SADD 's' => ResultConsistent 's' 

Array s = arrayof.(vtr s) 

ItStep n - Iterate n IcNetStep 


8 General Lemmas 

'bytecount (FtCayugaStep s in) '='byte_inc(byte_inc(bytecount s))' 

'getbyte b (set. byte c w v)'= 'getbyte b v' , 'b = c' = 'False' 

'getbyte b (set.byte b w v)'='v' , 'good v ft !v ft !b'='True' 

'DATUM (Word (getbyte BYTE3 x) (getbyte BYTE2 x) (getbyte BYTE1 x) 
(getbyte BYTEO x))'='x' , 'good x'='True‘ 

' ! (msbof (getbyte b w))'='True' , '!b & good v'='True' 

' (BYTE3 = x) | (BYTE2 = x) | (BYTE1= x) | (BYTEO=x) ' = ' ! x ' 

'! (getbyte b w)'='!b' , 'good w'='True' 

' ! ! (data.to.addr x)'='True' , 'good x'='True' 

'good(set.byte b w v)'='!b ft !v' , 'good v'='True' 

"good2def inite" 'good x'='True' => '!!x'='True' 

' ! (byte.inc b) ' = ' !b' 

Proper. inlist 'a:b' => Proper. inlist 'b' 

' ! (byzCayugaStep s in) '= 'True' , Proper.ft cayuga 's' 

' I (newcontr cs in irg)'='!cs' , '!in ft ?irg'='True' 
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